ansible: input sanitization errors (CVE-2014-4966 CVE-2014-4967)

The Ansible project is an open source configuration management platform.

The Ansible platform suffers from input sanitization errors that allow
arbitrary code execution as well as information leak, in case an attacker is
able to control certain playbook variables.

The first vulnerability involves the escalation of a local permission access
level into arbitrary code execution. The code execution can be triggered by
interpolation of file names maliciously crafted as lookup plugin commands, in
combination with its pipe feature.

The second vulnerability concerns the unsafe parsing of action arguments in
the face of an attacker controlling variable data (whether fact data,
with_fileglob data, or other sources), allowing an attacker to supply their
own options to an action. The impact of this is dependent on the action
module the attacker targets. For example, an attacker controlling variables
passed to the copy or template actions would be able to trigger arbitrary
code execution (in addition to simple information leakage) via the validate
option’s acceptance of arbitrary shell code.

Affected version:

Ansible <= 1.6.6

Fixed version:

Ansible >= 1.6.7

Credit: vulnerability report received from Brian Harring <ferringb AT
gmail.com>.

CVE: CVE-2014-4966 (lookup function), CVE-2014-4967 (action arguments)

References:
http://www.ocert.org/advisories/ocert-2014-004.html

(from redmine: issue id 3247, created on 2014-07-29, closed on 2014-07-30)

• Relations:
  • child #3248 (closed)
  • child #3249 (closed)