Ansible fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.
It was found that it's possible to inject code and gain remote code execution via setting ansible_ssh_executable variable by attacker that takes over of controlled server.
Name: Michael Scherer (Red Hat)
Created ansible1.9 tracking bugs for this issue:
Affects: fedora-all [bug 1390647]
Affects: epel-all [bug 1390649]
Created ansible tracking bugs for this issue:
Affects: fedora-all [bug 1390646]
Affects: epel-all [bug 1390648]
This issue is addressed in Ansible 2.2.0 available at:
Downgrading this issue from High to Medium as it requires a compromised server in order to exploit a client.
Updated affects, 1.9 is not affected.
This issue has been addressed in the following products:
Red Hat OpenShift Enterprise 3.2
Red Hat OpenShift Container Platform 3.3
Via RHSA-2016:2778 https://access.redhat.com/errata/RHSA-2016:2778