Bug 1815519 (CVE-2020-10684) - CVE-2020-10684 Ansible: code injection when using ansible_facts as a subkey
Summary: CVE-2020-10684 Ansible: code injection when using ansible_facts as a subkey
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10684
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1816309 1816310 1816311 1816316 1816317 1816318 1816319 1816320 1816321 1816322 1816455 1816456 1819553
Blocks: 1815527
TreeView+ depends on / blocked
 
Reported: 2020-03-20 13:49 UTC by Borja Tarraso
Modified: 2022-10-02 21:51 UTC (History)
39 users (show)

Fixed In Version: ansible-engine 2.7.17, ansible-engine 2.8.11, ansible-engine 2.9.7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Ansible Engine. When using ansible_facts as a subkey of itself, and promoting it to a variable when injecting is enabled, overwriting the ansible_facts after the clean, an attacker could take advantage of this by altering the ansible_facts leading to privilege escalation or code injection. The highest threat from this vulnerability are to data integrity and system availability.
Clone Of:
Environment:
Last Closed: 2020-04-22 16:32:25 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:2150 0 None None None 2020-05-14 11:25:15 UTC
Red Hat Product Errata RHBA-2020:2251 0 None None None 2020-05-21 19:05:11 UTC
Red Hat Product Errata RHSA-2020:1541 0 None None None 2020-04-22 14:09:27 UTC
Red Hat Product Errata RHSA-2020:1542 0 None None None 2020-04-22 14:09:51 UTC
Red Hat Product Errata RHSA-2020:1543 0 None None None 2020-04-22 14:10:09 UTC
Red Hat Product Errata RHSA-2020:1544 0 None None None 2020-04-22 14:10:22 UTC

Description Borja Tarraso 2020-03-20 13:49:40 UTC 
Keys for ansible_facts can be overwritten when ansible_facts is added itself as a subkey. This action would happen after cleaning with unprocessed subkeys, as ansible_facts could be added as a subkey.
Comment 1 Borja Tarraso 2020-03-20 13:49:48 UTC 
Acknowledgments:

Name: Damien Aumaitre (Quarkslab), Nicolas Surbayrole (Quarkslab)
Comment 3 Borja Tarraso 2020-03-20 13:50:03 UTC 
Mitigation:

Currently, there is not a known mitigation except avoiding the functionality of using ansible_facts as a subkey.
Comment 6 Bill Nottingham 2020-03-23 17:50:56 UTC 
I am confused by that statement. Ansible Tower also does not maintain its own version of Ansible.
Comment 7 Borja Tarraso 2020-03-23 19:04:25 UTC 
Created ansible tracking bugs for this issue:

Affects: openstack-rdo [bug 1816309]
Comment 8 Borja Tarraso 2020-03-23 19:07:45 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1816311]
Affects: fedora-all [bug 1816310]
Comment 11 Salvatore Bonaccorso 2020-03-24 06:40:41 UTC 
Hi Borja,

Sorry for beeing annoying again. Once reported upstream can you reference the upstream issue here as well?

Regards,
Salvatore
Comment 12 Yadnyawalk Tale 2020-03-24 07:04:26 UTC 
Removing CloudForms from affect list. CloudForms 5.10 & 5.11 both subscribe to Ansible repos, so we do not need to include cfme5/ansible-tower in affects nor file trackers. ansible_engine/ansible_tower affects entries are sufficient to inform Cloudforms customers.
Comment 13 Borja Tarraso 2020-03-24 17:24:43 UTC 
Hi Salvatore, here is the upstream fix: https://github.com/ansible/ansible/pull/68431
Comment 19 errata-xmlrpc 2020-04-22 14:09:25 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 7
  Red Hat Ansible Engine 2.9 for RHEL 8

Via RHSA-2020:1541 https://access.redhat.com/errata/RHSA-2020:1541
Comment 20 errata-xmlrpc 2020-04-22 14:09:48 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2020:1542 https://access.redhat.com/errata/RHSA-2020:1542
Comment 21 errata-xmlrpc 2020-04-22 14:10:07 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.8 for RHEL 7
  Red Hat Ansible Engine 2.8 for RHEL 8

Via RHSA-2020:1543 https://access.redhat.com/errata/RHSA-2020:1543
Comment 22 errata-xmlrpc 2020-04-22 14:10:20 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.7 for RHEL 7

Via RHSA-2020:1544 https://access.redhat.com/errata/RHSA-2020:1544
Comment 23 Product Security DevOps Team 2020-04-22 16:32:25 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10684
Comment 25 Summer Long 2021-01-14 05:30:23 UTC 
Statement:

* Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.
* Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.
* Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains their own version of Ansible. The fix will be consumed from core Ansible. But we still ship ansible separately for ceph ubuntu.
* Red Hat OpenStack Platform does package the affected code. However, because RHOSP does not use ansible_facts as a subkey directly, the RHOSP impact has been reduced to Moderate and no update will be provided at this time for the RHOSP ansible package.
Note You need to log in before you can comment on or make changes to this bug.