ESB-2017.2106 - [RedHat] ansible: Execute arbitrary code/commands - Remote with user interaction 2017-08-23

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2106
        Moderate: ansible security, bug fix, and enhancement update
                              23 August 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ansible
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-7481  

Reference:         ESB-2017.1623
                   ESB-2017.1523
                   ESB-2017.1512
                   ESB-2017.1343

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2017:2524

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: ansible security, bug fix, and enhancement update
Advisory ID:       RHSA-2017:2524-01
Product:           Red Hat Virtualization
Advisory URL:      https://access.redhat.com/errata/RHSA-2017:2524
Issue date:        2017-08-22
CVE Names:         CVE-2017-7481 
=====================================================================

1. Summary:

An update for ansible is now available for RHEV Engine version 4.1.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHV-M 4.1 - noarch

3. Description:

Ansible is a simple model-driven configuration management, multi-node
deployment, and remote-task execution system. Ansible works over SSH and
does not require any software or daemons to be installed on remote nodes.
Extension modules can be written in any language and are transferred to
managed machines automatically.

The following packages have been upgraded to a later upstream version:
ansible (2.3.1.0). (BZ#1477925)

Security Fix(es):

* An input validation flaw was found in Ansible, where it fails to properly
mark lookup-plugin results as unsafe. If an attacker could control the
results of lookup() calls, they could inject Unicode strings to be parsed
by the jinja2 templating system, resulting in code execution. By default,
the jinja2 templating language is now marked as 'unsafe' and is not
evaluated. (CVE-2017-7481)

This issue was discovered by Evgeni Golov (Red Hat).

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1450018 - CVE-2017-7481 ansible: Security issue with lookup return not tainting the jinja2 environment
1477925 - Upgrade ansible to version 2.3.1.0

6. Package List:

RHV-M 4.1:

Source:
ansible-2.3.1.0-3.el7.src.rpm

noarch:
ansible-2.3.1.0-3.el7.noarch.rpm
ansible-doc-2.3.1.0-3.el7.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-7481
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFZnG66XlSAg2UNWIIRAu1XAJ9nvJwfMAKJ9A9IioLwoYAQv8vsVgCgpOLh
W19CFr0H9OYZeUVJBZdcVcw=
=pCGc
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWZzFWox+lLeg9Ub1AQj9Nw//e+JXpDhb5EbI034cf1OcVU0J1uSGfJ+o
TuYTDMjT1AY67jnKNoT5EI48XYFodUP6q2486dE7zyoSHP0F1dugC4wZexsobL+d
xAqUE0tIrhU5CwQtBKVqXh2xE4hG79daQDLM5egEuxYqnQw/4KlMMcIwKOUrTRSw
BOfN9/jW4rNTxnW2gLRJsmb+ywUhybI3ddNQ5HPqGd+k9flVAuKVOCzlG2DWonUK
qAFN/Kz46uNU9NABmztGM/p44dXo9QVEfDSJ/X8ER+TTdhwd8/kqRp6/oZFQCt6k
QE5OpOceLknnBBOrpVQ//t6WQ/2DwU+uxKNxDoZl3IEO66ISD0A2+geJr2vzPMVI
183QQuN/bWXEmL8DDqF6ol46EH7HxVq5NdJh4Ioce0sfjt4OXrpaRcs4C1s01re8
PfGZzaGhy8SvEsWDYCty0jfcor4Tw5+Nmnri/lbsuktm2zekGhRho9S4sQWq13A9
R0ot2aE2GSgvdheNrhz5j31I4yu3zs90J+eg89XQtVnTF4gxYhrAatrE3dX2gUdS
Y7J6iHEYuoXCd5OLJljHr0V4X7cNre3i4tD82CebFySaBcSDEHa68Pe1lOvu4Aia
6DWHLnsP644tShCJABNPwLXpZ+wENLlfHM8dfQe3sjj1BKOD6ev65mNJI0VyCTxH
25SGYk0yMYk=
=83Mu
-----END PGP SIGNATURE-----

« Back to bulletins