The safe_eval function in Ansible before 1.5.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. References: https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md https://www.securityfocus.com/bid/68232
Created ansible tracking bugs for this issue: Affects: epel-all [bug 1831265] Affects: fedora-all [bug 1831264]
Red Hat CloudForms 5.10 (4.7) and 5.11 (5.0) do not ship `ansible` package, it is provided by the official Ansible repository.
This is a bug for Ansible 1.5.4 and previous versions, really old, and fixed on 1.5.5 and after long time ago, when it was Ansible Core. Currently we support 2.9.x, 2.8.x, and 2.7.x. and from 2.4 it is called Ansible Engine. So Ansible in all supported current versions is not affected.
Red Hat Ceph Storage and Red Hat Gluster Storage shipped ansible versions 2.4.1 and 2.3.2 respectively, which already contains the fix and hence not affected by this vulnerability.
External References: https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md https://www.securityfocus.com/bid/68232
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2014-4657