2028074 – (CVE-2021-4041) CVE-2021-4041 Ansible: Improper shell escaping in ansible-runner

Bug 2028074 (CVE-2021-4041) - CVE-2021-4041 Ansible: Improper shell escaping in ansible-runner

Summary: CVE-2021-4041 Ansible: Improper shell escaping in ansible-runner

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-4041
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2180720 2028406 2180515 2180516 2180721 2180722 2180723 2182373 2182750
Blocks:	2015241
TreeView+	depends on / blocked

Reported:	2021-12-01 12:48 UTC by Vipul Nair
Modified:	2023-08-02 09:22 UTC (History)
CC List:	58 users (show)
Fixed In Version:	ansible-runner 2.1.0
Doc Type:	---
Doc Text:	A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansible_runner.interface.run_command, can lead to parameters getting executed as host's shell command. A developer could unintentionally write code that gets executed in the host rather than the virtual environment.
Clone Of:
Environment:
Last Closed:	2022-01-11 22:00:41 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:0108	0	None	None	None	2022-01-11 20:55:17 UTC

Description Vipul Nair 2021-12-01 12:48:35 UTC

An improper escape on the line,could lead to unsuspecting developer execute code on the host machine rather than virtual one
https://github.com/ansible/ansible-runner/blob/3d6886d1a26358ead139fef736d1c8ca07f7ab71/ansible_runner/runner.py#L257

Comment 3 Salvatore Bonaccorso 2021-12-12 10:07:16 UTC

There is an upstream change in 2.1.0 which removes the shell use in subprocess:
https://github.com/ansible/ansible-runner/commit/3533f265f4349a3f2a0283158cd01b59a6bbc7bd

Comment 6 errata-xmlrpc 2022-01-11 20:55:14 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.0 for RHEL 8

Via RHSA-2022:0108 https://access.redhat.com/errata/RHSA-2022:0108

Comment 7 Product Security DevOps Team 2022-01-11 22:00:39 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-4041

Comment 8 Vipul Nair 2023-03-21 15:54:16 UTC

Created python-ansible-runner tracking bugs for this issue:

Affects: epel-7 [bug 2180515]
Affects: openstack-rdo [bug 2180516]

Note You need to log in before you can comment on or make changes to this bug.

akarol
amctagga
aoconnor
bbuckingham
bcoca
bcourt
bniver
carnil
chousekn
cwelton
davidn
dmetzger
eglynn
ehelms
epacific
flucifre
gblomqui
gmccullo
gmeno
gtanzill
jcammara
jhardy
jjoyce
jneedle
jobarker
jsherril
lhh
lzap
mabashia
mbenjamin
mburns
mgarciac
mhackett
mhulan
michal.skrivanek
mperina
myarboro
nmoumoul
notting
orabin
osapryki
pcreech
rchan
relrod
rhos-maint
roliveri
rpetrell
sbonazzo
simaishi
smallamp
smcdonal
sostapov
spower
teagle
tkuratom
vereddy
yguenane
zsadeh