A race condition was found in ansible-runner where an attacker could watch for a rapid creation and deletion of a temporary directory, substitute their own directory at that name, and then have access to ansible-runner's private_data_dir the next time ansible-runner made use of the private_data_dir. Upstream patch: https://github.com/ansible/ansible-runner/pull/742/commits/0e9aa8a97e7832ef9a1553ef2908632a32d2b8c4
Created python-ansible-runner tracking bugs for this issue: Affects: epel-7 [bug 1977968] Affects: fedora-all [bug 1977967] Affects: openstack-rdo [bug 1977966]
Red Hat Ceph Storage 4 does not ship the affected code, and has been marked not affected.
In OCP 4.7, version 1.4.6-2 is packaged and is too old to have the vulnerable code - uses the secure version of mkstemp: https://github.com/ansible/ansible-runner/blob/26a06567df037889f15e4b2eaa29919c6637986f/ansible_runner/utils.py#L151 In OCP 3.11, version 1.2.0-1 is packaged and uses the secure version of make temp: https://github.com/ansible/ansible-runner/blob/94f58c7c3667102dbafbf3b2349322c594deeccc/ansible_runner/utils.py#L143 Looks like the vulnerable code got refactored around version 2 https://github.com/ansible/ansible-runner/commit/93e95a3df9021a38010386d07df121392d249253
Well in hindsight even if the above ^ aren't the refactor'ed, the older versions still don't contain the code to insecurely create a temp dir.
Analysis is complete for all the concerned Ansible components and it was found that AAP 1.2 and Ansible Tower are affected by this vulnerability. However, AAP 2.0 is "Not Affected" by this vulnerability as it ships ansible-runner 2.0.1 which already contains the fix for this issue.
This vulnerability was part of ansible_runner_2.0 but was fixed before it got published it. It was fixed by this PR https://github.com/ansible/ansible-runner/pull/742 (the commits in that PR got back-port to release_2.0 before we went GA) This code wasn't part of 1.4 - so no released version of runner is actually impacted by this. Finally, no any shipped ansible runner version from Red Hat has been facing the issue. Hence, though this was marked as "affected" initially, marking it back to "not affected" . However, since this is a valid vulnerability, the CVE will remain valid as well.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3702