Vulnerability in solaris_zone from Ansible modules accepts the zone name to perform actions related to zones. However, while running these actions on the system, solaris_zone module check the status of the zone by executing a os.system() call and using the zone name as a parameter. A malicious user could provide a crafted zone name which allows executing commands into the server manipulating the module behaviour.
Acknowledgments: Name: Abhijeet Kasurde (Red Hat)
Created ansible tracking bugs for this issue: Affects: epel-all [bug 1777690] Affects: fedora-all [bug 1777689] Affects: openstack-rdo [bug 1777688]
Mitigation: Currently, there is no mitigation for this issue.
Statement: Because a flaw exploit would depend on the use of Solaris and Red Hat does not support RHOSP on Solaris, the RHOSP Ansible package will not be updated at this time. Ansible Engine 2.7.15, 2.8.7, and 2.9.2 as well as previous versions are affected.
This issue has been addressed in the following products: Red Hat Ansible Engine 2.7 for RHEL 7 Via RHSA-2020:0217 https://access.redhat.com/errata/RHSA-2020:0217
This issue has been addressed in the following products: Red Hat Ansible Engine 2.9 for RHEL 7 Red Hat Ansible Engine 2.9 for RHEL 8 Via RHSA-2020:0215 https://access.redhat.com/errata/RHSA-2020:0215
This issue has been addressed in the following products: Red Hat Ansible Engine 2.8 for RHEL 7 Red Hat Ansible Engine 2.8 for RHEL 8 Via RHSA-2020:0216 https://access.redhat.com/errata/RHSA-2020:0216
This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 7 Red Hat Ansible Engine 2 for RHEL 8 Via RHSA-2020:0218 https://access.redhat.com/errata/RHSA-2020:0218
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14904
Red Hat CloudForms 5.10 (4.7) and 5.11 (5.0) do not ship `ansible` package, it is provided by the official Ansible repository.