ansible: input sanitization errors (CVE-2014-4966 CVE-2014-4967)
The Ansible project is an open source configuration management platform.
The Ansible platform suffers from input sanitization errors that allow
arbitrary code execution as well as information leak, in case an
attacker is
able to control certain playbook variables.
The first vulnerability involves the escalation of a local permission
access
level into arbitrary code execution. The code execution can be triggered
by
interpolation of file names maliciously crafted as lookup plugin
commands, in
combination with its pipe feature.
The second vulnerability concerns the unsafe parsing of action arguments
in
the face of an attacker controlling variable data (whether fact data,
with_fileglob data, or other sources), allowing an attacker to supply
their
own options to an action. The impact of this is dependent on the
action
module the attacker targets. For example, an attacker controlling
variables
passed to the copy or template actions would be able to trigger
arbitrary
code execution (in addition to simple information leakage) via the
validate
option’s acceptance of arbitrary shell code.
Affected version:
Ansible <= 1.6.6
Fixed version:
Ansible >= 1.6.7
Credit: vulnerability report received from Brian Harring <ferringb
AT
gmail.com>.
CVE: CVE-2014-4966 (lookup function), CVE-2014-4967 (action arguments)
References:
http://www.ocert.org/advisories/ocert-2014-004.html
(from redmine: issue id 3247, created on 2014-07-29, closed on 2014-07-30)
- Relations:
- child #3248 (closed)
- child #3249 (closed)