Bug 1968412 (CVE-2021-3583) - CVE-2021-3583 ansible: Template Injection through yaml multi-line strings with ansible facts used in template.
Summary: CVE-2021-3583 ansible: Template Injection through yaml multi-line strings wit...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3583
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1969274 1976096 1976097 1976098 1969275 1976092 1976093
Blocks: 1967965 1968686 2002257
TreeView+ depends on / blocked
 
Reported: 2021-06-07 10:57 UTC by Tapas Jena
Modified: 2021-09-21 10:02 UTC (History)
31 users (show)

Fixed In Version: ansible_tower 3.7, ansible_engine 2.9.23
Doc Type: ---
Doc Text:
A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.
Clone Of:
Environment:
Last Closed: 2021-07-07 10:40:38 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:2688 0 None None None 2021-07-12 12:28:21 UTC
Red Hat Product Errata RHBA-2021:2850 0 None None None 2021-07-21 14:07:50 UTC
Red Hat Product Errata RHSA-2021:2663 0 None None None 2021-07-07 04:45:17 UTC
Red Hat Product Errata RHSA-2021:2664 0 None None None 2021-07-07 04:46:00 UTC

Description Tapas Jena 2021-06-07 10:57:58 UTC
if there are ansible users out there who are trying to put templates in multi-line yaml strings(https://yaml-multiline.info/), and the facts being
handled don't routinely include special template characters, then their controller will be vulnerable to a template injection through the facts used in template.

Comment 2 Tapas Jena 2021-06-08 06:13:27 UTC
Analysis is complete and its found to be a legitimate issue. The issue has been successfully reproduced. Hence, marking it as "Affected" -> "fix" for AAP 1 and Ansible Tower.

Comment 7 Tapas Jena 2021-06-25 08:08:42 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1976097]
Affects: fedora-all [bug 1976096]
Affects: openstack-rdo [bug 1976098]

Comment 8 errata-xmlrpc 2021-07-07 04:45:15 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 8
  Red Hat Ansible Engine 2.9 for RHEL 7

Via RHSA-2021:2663 https://access.redhat.com/errata/RHSA-2021:2663

Comment 9 errata-xmlrpc 2021-07-07 04:45:59 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 8
  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2021:2664 https://access.redhat.com/errata/RHSA-2021:2664

Comment 10 Product Security DevOps Team 2021-07-07 10:40:38 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3583


Note You need to log in before you can comment on or make changes to this bug.