It was found that ansible.cfg is being read from current working directory, which cam be made to point to plugin or module paths that are under control of the attacker, allowing to execute arbitrary code.
Acknowledgments: Name: Brian Coca (Red Hat)
s/cam/can/
Created ansible tracking bugs for this issue: Affects: epel-all [bug 1598806] Affects: fedora-all [bug 1598805]
This issue has been addressed in the following products: Red Hat Ansible Engine 2.5 for RHEL 7 Via RHSA-2018:2150 https://access.redhat.com/errata/RHSA-2018:2150
This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 7 Via RHSA-2018:2151 https://access.redhat.com/errata/RHSA-2018:2151
This issue has been addressed in the following products: Red Hat Ansible Engine 2.4 for RHEL 7 Via RHSA-2018:2152 https://access.redhat.com/errata/RHSA-2018:2152
This issue has been addressed in the following products: Red Hat Ansible Engine 2.6 for RHEL 7 Via RHSA-2018:2166 https://access.redhat.com/errata/RHSA-2018:2166
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2018:2321 https://access.redhat.com/errata/RHSA-2018:2321
Upstream patch: https://github.com/ansible/ansible/pull/42070
This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Via RHSA-2018:2585 https://access.redhat.com/errata/RHSA-2018:2585
This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2019:0054 https://access.redhat.com/errata/RHSA-2019:0054
Statement: Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository.