Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1565862 - (CVE-2018-1104) CVE-2018-1104 ansible-tower: Remote code execution by users with access to define variables in job templates
CVE-2018-1104 ansible-tower: Remote code execution by users with access to de...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20180427,repo...
: Security
Depends On: 1572740 1572747 1572748
Blocks: 1565867
  Show dependency treegraph
 
Reported: 2018-04-10 20:16 EDT by Sam Fowler
Modified: 2018-06-25 10:17 EDT (History)
20 users (show)

See Also:
Fixed In Version: ansible-tower 3.1.6, ansible-tower 3.2.4
Doc Type: If docs needed, set a value
Doc Text:
Ansible Tower through version 3.2.3 has a vulnerability that allows users only with access to define variables for a job template to execute arbitrary code on the Tower server.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1328 None None None 2018-05-07 16:42 EDT
Red Hat Product Errata RHSA-2018:1972 None None None 2018-06-25 10:17 EDT

  None (edit)
Description Sam Fowler 2018-04-10 20:16:19 EDT 
Ansible Tower through version 3.2.3 has a vulnerability that allows users only with access to define variables for a job template to execute arbitrary code on the Tower server.
Comment 1 Sam Fowler 2018-04-10 20:16:29 EDT 
Acknowledgments:

Name: Simon Vikström
Comment 2 Magnus Glantz 2018-04-13 06:12:58 EDT 
The only way around this, as far as I can see, is to restrict ability to define extra variables for job templates (includes ability to define variables at the all levels, including from the inventory, a.s.o.). This, naturally, is crippling to the functionality of Tower. Anyone involved in playbook/role/inventory development/administration would have the ability to execute this exploit.

Also, it would be possible for someone to craft a role, put it in Ansible Galaxy to attack any users using it.
Comment 4 Kurt Seifried 2018-05-02 12:05:21 EDT 
This is now public: https://www.ansible.com/security
Comment 5 Kurt Seifried 2018-05-02 12:06:12 EDT 
This issue has been addressed in Ansible Tower release 3.1.6 and 3.2.4, for more information please see https://www.ansible.com/security
Comment 6 errata-xmlrpc 2018-05-07 16:42:24 EDT 
This issue has been addressed in the following products:

  CloudForms Management Engine 5.9

Via RHSA-2018:1328 https://access.redhat.com/errata/RHSA-2018:1328
Comment 7 errata-xmlrpc 2018-06-25 10:16:56 EDT 
This issue has been addressed in the following products:

  CloudForms Management Engine 5.8

Via RHSA-2018:1972 https://access.redhat.com/errata/RHSA-2018:1972
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.