Bug 1388113 (CVE-2016-8628) - CVE-2016-8628 ansible: Command injection by compromised server via fact variables
Summary: CVE-2016-8628 ansible: Command injection by compromised server via fact varia...
Status: CLOSED ERRATA
Alias: CVE-2016-8628
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20161101,repor...
Keywords: Reopened, Security
Depends On: 1390646 1390647 1390648 1390649 1390681 1396333
Blocks: 1388114
TreeView+ depends on / blocked
 
Reported: 2016-10-24 13:37 UTC by Adam Mariš
Modified: 2018-07-31 18:50 UTC (History)
46 users (show)

Fixed In Version: Ansible 2.2.0
Doc Type: If docs needed, set a value
Doc Text:
Ansible fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-12-15 05:30:42 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2778 normal SHIPPED_LIVE Moderate: atomic-openshift-utils security and bug fix update 2016-11-16 00:08:29 UTC

Description Adam Mariš 2016-10-24 13:37:25 UTC
It was found that it's possible to inject code and gain remote code execution via setting ansible_ssh_executable variable by attacker that takes over of controlled server.

Comment 1 Adam Mariš 2016-10-24 13:37:55 UTC
Acknowledgments:

Name: Michael Scherer (Red Hat)

Comment 2 Kurt Seifried 2016-11-01 15:23:05 UTC
Created ansible1.9 tracking bugs for this issue:

Affects: fedora-all [bug 1390647]
Affects: epel-all [bug 1390649]

Comment 3 Kurt Seifried 2016-11-01 15:23:26 UTC
Created ansible tracking bugs for this issue:

Affects: fedora-all [bug 1390646]
Affects: epel-all [bug 1390648]

Comment 4 Kurt Seifried 2016-11-01 15:28:46 UTC
This issue is addressed in Ansible 2.2.0 available at:

https://github.com/ansible/ansible/releases/tag/v2.2.0.0-1

Comment 5 Kurt Seifried 2016-11-01 15:34:58 UTC
Downgrading this issue from High to Medium as it requires a compromised server in order to exploit a client.

Comment 8 Kurt Seifried 2016-11-14 18:24:00 UTC
Updated affects, 1.9 is not affected.

Comment 9 errata-xmlrpc 2016-11-15 19:09:59 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Enterprise 3.2
  Red Hat OpenShift Container Platform 3.3

Via RHSA-2016:2778 https://access.redhat.com/errata/RHSA-2016:2778


Note You need to log in before you can comment on or make changes to this bug.