Bug 1485474 – CVE-2017-12148 Ansible Tower:modification of git hooks in SCM repo via upstream playbook execution

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1485474 - (CVE-2017-12148) CVE-2017-12148 Ansible Tower:modification of git hooks in SCM repo via upstream playbook execution

Summary:	CVE-2017-12148 Ansible Tower:modification of git hooks in SCM repo via upstre...

Status:	CLOSED ERRATA

Aliases:	CVE-2017-12148

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,public=20170919,repo...
Keywords:	Security

Depends On:	1485484 1485485 1490002 1490003 1490004
Blocks:	1485482
	Show dependency tree / graph

Reported:	2017-08-25 16:56 EDT by Kurt Seifried
Modified:	2018-07-27 03:42 EDT (History)
CC List:	19 users (show)

See Also:
Fixed In Version:	ansible_tower 3.1.5, ansible_tower 3.2.0
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Tower's interface with SCM repositories. If a Tower project (SCM repository) definition does not have the 'delete before update' flag set, an attacker with commit access to the upstream playbook source repository could create a Trojan playbook that, when executed by Tower, modifies the checked out SCM repository to add git hooks. These git hooks could, in turn, cause arbitrary command and code execution as the user Tower runs as.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-12-11 07:08:47 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:3005	normal	SHIPPED_LIVE	Important: Red Hat CloudForms security, bug fix, and enhancement update	2017-10-24 00:15:49 EDT

Groups: None (edit)

Description Kurt Seifried 2017-08-25 16:56:48 EDT

If a Tower project (SCM repo) definition does not have the 'delete before update' flag set, a user who has commit access to the upstream playbook source repo could create a trojan playbook that, when executed by Tower, modifies the checked out SCM repository to add git hooks.

On the next SCM update, these git hooks would then run, therefore running arbitrary code as the 'awx' (Tower service) user.

Comment 2 Borja Tarraso 2017-09-07 05:30:19 EDT

Acknowledgments:

Name: Ryan Petrello (Red Hat)

Comment 5 errata-xmlrpc 2017-10-23 20:42:57 EDT

This issue has been addressed in the following products:

  CloudForms Management Engine 5.8

Via RHSA-2017:3005 https://access.redhat.com/errata/RHSA-2017:3005

Note You need to log in before you can comment on or make changes to this bug.