It was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result.
Acknowledgments: Name: Michael Scherer (OSAS)
Created ansible tracking bugs for this issue: Affects: epel-all [bug 1598810] Affects: fedora-all [bug 1598809]
This issue has been addressed in the following products: Red Hat Ansible Engine 2.5 for RHEL 7 Via RHSA-2018:2150 https://access.redhat.com/errata/RHSA-2018:2150
This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 7 Via RHSA-2018:2151 https://access.redhat.com/errata/RHSA-2018:2151
This issue has been addressed in the following products: Red Hat Ansible Engine 2.4 for RHEL 7 Via RHSA-2018:2152 https://access.redhat.com/errata/RHSA-2018:2152
This issue has been addressed in the following products: Red Hat Ansible Engine 2.6 for RHEL 7 Via RHSA-2018:2166 https://access.redhat.com/errata/RHSA-2018:2166
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2018:2321 https://access.redhat.com/errata/RHSA-2018:2321
This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Via RHSA-2018:2585 https://access.redhat.com/errata/RHSA-2018:2585
This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2019:0054 https://access.redhat.com/errata/RHSA-2019:0054
Statement: Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository.