The safe_eval function in Ansible before 1.6.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4657. Reference: https://github.com/ansible/ansible/commit/5429b85b9f6c2e640074176f36ff05fd5e4d1916 https://groups.google.com/forum/message/raw?msg=ansible-announce/ieV1vZvcTXU/5Q93ThkY9rIJ https://www.openwall.com/lists/oss-security/2014/06/26/30 https://www.openwall.com/lists/oss-security/2014/07/02/2
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2014-4678
I think resolution is quite clear here, in any case, Red Hat CloudForms 5.10 (4.7) and 5.11 (5.0) do not ship `ansible` package, it is provided by the official Ansible repository.
Statement: Red Hat Ceph Storage and Red Hat Gluster Storage shipped ansible versions 2.4.1 and 2.3.2 respectively, which are not affected by this vulnerability.