2028121 – (CVE-2021-4112) CVE-2021-4112 ansible-tower: Privilege escalation via job isolation escape

Bug 2028121 (CVE-2021-4112) - CVE-2021-4112 ansible-tower: Privilege escalation via job isolation escape

Summary: CVE-2021-4112 ansible-tower: Privilege escalation via job isolation escape

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-4112
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2028399 2028400 2028522
Blocks:	1983057
TreeView+	depends on / blocked

Reported:	2021-12-01 14:20 UTC by Vipul Nair
Modified:	2022-12-06 14:57 UTC (History)
CC List:	15 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in ansible-tower where the default installation is vulnerable to job isolation escape. This flaw allows an attacker to elevate the privilege from a low privileged user to an AWX user from outside the isolated environment.
Clone Of:
Environment:
Last Closed:	2022-02-08 22:13:23 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:0460	None	None	None	2022-02-08 03:40:41 UTC
Red Hat Product Errata	RHSA-2022:0474	None	None	None	2022-02-08 14:57:29 UTC
Red Hat Product Errata	RHSA-2022:0482	None	None	None	2022-02-08 21:31:56 UTC

Description Vipul Nair 2021-12-01 14:20:45 UTC

A researcher found a trivial bypass for CVE-2021-20253 by sending a mail to awx user, thereby leveraging postfix to create a folder, owned by awx, then placing a binary in that folder that lets a low privilege user to elevate to awx outside the isolation jail.

Comment 6 errata-xmlrpc 2022-02-08 03:40:39 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.1 for RHEL 8

Via RHSA-2022:0460 https://access.redhat.com/errata/RHSA-2022:0460

Comment 7 errata-xmlrpc 2022-02-08 14:57:27 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.0 for RHEL 8

Via RHSA-2022:0474 https://access.redhat.com/errata/RHSA-2022:0474

Comment 8 errata-xmlrpc 2022-02-08 21:31:54 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Tower 3.8 for RHEL 7

Via RHSA-2022:0482 https://access.redhat.com/errata/RHSA-2022:0482

Comment 9 Product Security DevOps Team 2022-02-08 22:13:20 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-4112

Comment 10 Satoe Imaishi 2022-02-15 18:58:22 UTC

For Ansible Tower 3.8, this is addressed in ansible-tower 3.8.5-2 and ansible-runner 1.4.7-2 rpms, which are included in ansible-tower-setup-bundle-3.8.5-2.tar.gz/ansible-automation-platform-setup-bundle-1.2.6-2.tar.gz.

Note You need to log in before you can comment on or make changes to this bug.