It is reported that a compromised remote hosts can lead to running commands on the Ansible controller.
Verified attack vectors across devel branch/2.2/2.1 and have created private branches to address the issue across these versions. Due to the holidays, we will hold off on disclosing the vulnerability and will release new candidate versions for stable-2.1 and stable-2.2 branches (2.1.4 RC1 and 2.2.1 RC3 respectively) ASAP in early January.
I've attached the original reporters research and findings.
Created attachment 1234010 [details] Computest's original findings, code and reporting.
Ansible 2.2.1 RC3 and 2.1.4 RC1 were released today, which contain fixes for the security bugs above.
We need Fedora and EPEL tracking bugs for this.
Created ansible tracking bugs for this issue: Affects: fedora-all [bug 1412356] Affects: epel-all [bug 1412357]
v2.2.1.0 was released upstream today and fixes this bug.
This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2017:0195 https://rhn.redhat.com/errata/RHSA-2017-0195.html
This issue has been addressed in the following products: Red Hat Gluster Storage 3.1 for RHEL 7 Via RHSA-2017:0260 https://rhn.redhat.com/errata/RHSA-2017-0260.html
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.2 Red Hat OpenShift Container Platform 3.3 Red Hat OpenShift Container Platform 3.4 Via RHSA-2017:0448 https://access.redhat.com/errata/RHSA-2017:0448
This issue has been addressed in the following products: Red Hat Storage Console 2 for Red Hat Enteprise Linux 7 Via RHSA-2017:0515 https://access.redhat.com/errata/RHSA-2017:0515
This issue has been addressed in the following products: RHEV Engine version 4.1 Via RHSA-2017:1685 https://access.redhat.com/errata/RHSA-2017:1685