Bug 1450018 (CVE-2017-7481) - CVE-2017-7481 ansible: Security issue with lookup return not tainting the jinja2 environment
Summary: CVE-2017-7481 ansible: Security issue with lookup return not tainting the jin...
Status: CLOSED ERRATA
Alias: CVE-2017-7481
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20170509,repor...
Keywords: Security
Depends On: 1474160 1441482 1441485 1450279 1450280 1451059 1451060 1451061 1451062 1455377 1455378 1461920 1470914
Blocks: 1450036 1453037
TreeView+ depends on / blocked
 
Reported: 2017-05-11 11:59 UTC by Borja Tarraso
Modified: 2019-06-11 11:13 UTC (History)
40 users (show)

(edit)
An input validation flaw was found in Ansible, where it fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated.
Clone Of:
(edit)
Last Closed: 2019-06-08 03:12:23 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1244 normal SHIPPED_LIVE Important: ansible and openshift-ansible security and bug fix update 2017-05-25 21:43:49 UTC
Red Hat Product Errata RHSA-2017:1334 normal SHIPPED_LIVE Important: ansible security update 2017-05-25 21:13:37 UTC
Red Hat Product Errata RHSA-2017:1476 normal SHIPPED_LIVE Important: ansible security update 2017-07-25 06:19:46 UTC
Red Hat Product Errata RHSA-2017:1499 normal SHIPPED_LIVE Important: ansible security update 2017-06-19 17:34:13 UTC
Red Hat Product Errata RHSA-2017:1599 normal SHIPPED_LIVE Important: ansible security update 2017-07-25 06:20:03 UTC
Red Hat Product Errata RHSA-2017:2524 normal SHIPPED_LIVE Moderate: ansible security, bug fix, and enhancement update 2017-08-23 00:13:55 UTC

Description Borja Tarraso 2017-05-11 11:59:49 UTC
Jason McKerr of Red Hat reports:

Data returned in lookup() variables is not marked as unsafe and could result in unicode strings being passed through to the jinja2 templating system.

Comment 3 Andrej Nemec 2017-05-12 07:02:28 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1450280]
Affects: fedora-all [bug 1450279]

Comment 9 errata-xmlrpc 2017-05-17 17:42:10 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.2
  Red Hat OpenShift Container Platform 3.3
  Red Hat OpenShift Container Platform 3.4
  Red Hat OpenShift Container Platform 3.5

Via RHSA-2017:1244 https://access.redhat.com/errata/RHSA-2017:1244

Comment 12 Andrej Nemec 2017-05-25 15:30:55 UTC
Acknowledgments:

Name: Evgeni Golov (Red Hat)

Comment 13 errata-xmlrpc 2017-05-25 17:14:57 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.2 for RHEL 7

Via RHSA-2017:1334 https://access.redhat.com/errata/RHSA-2017:1334

Comment 14 errata-xmlrpc 2017-05-25 17:44:47 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.2
  Red Hat OpenShift Container Platform 3.3
  Red Hat OpenShift Container Platform 3.4
  Red Hat OpenShift Container Platform 3.5

Via RHSA-2017:1244 https://access.redhat.com/errata/RHSA-2017:1244

Comment 16 errata-xmlrpc 2017-06-15 22:28:24 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 11.0 (Ocata)

Via RHSA-2017:1476 https://access.redhat.com/errata/RHSA-2017:1476

Comment 17 errata-xmlrpc 2017-06-19 13:35:42 UTC
This issue has been addressed in the following products:

  Red Hat Storage Console 2 for Red Hat Enteprise Linux 7

Via RHSA-2017:1499 https://access.redhat.com/errata/RHSA-2017:1499

Comment 20 errata-xmlrpc 2017-06-28 15:21:52 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2017:1599 https://access.redhat.com/errata/RHSA-2017:1599

Comment 23 errata-xmlrpc 2017-08-22 17:44:25 UTC
This issue has been addressed in the following products:

  RHEV Engine version 4.1

Via RHSA-2017:2524 https://access.redhat.com/errata/RHSA-2017:2524


Note You need to log in before you can comment on or make changes to this bug.