Описание
A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.
A flaw was found in the Ansible Engine. When using ansible_facts as a subkey of itself, and promoting it to a variable when injecting is enabled, overwriting the ansible_facts after the clean, an attacker could take advantage of this by altering the ansible_facts leading to privilege escalation or code injection. The highest threat from this vulnerability are to data integrity and system availability.
Отчет
- Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.
- Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.
- Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains their own version of Ansible. The fix will be consumed from core Ansible. But we still ship ansible separately for ceph ubuntu.
- Red Hat OpenStack Platform does package the affected code. However, because RHOSP does not use ansible_facts as a subkey directly, the RHOSP impact has been reduced to Moderate and no update will be provided at this time for the RHOSP ansible package.
Меры по смягчению последствий
Currently, there is not a known mitigation except avoiding the functionality of using ansible_facts as a subkey.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 2 | ansible | Out of support scope | ||
| Red Hat Ceph Storage 3 | ansible | Affected | ||
| Red Hat OpenStack Platform 10 (Newton) | ansible | Out of support scope | ||
| Red Hat OpenStack Platform 13 (Queens) | ansible | Will not fix | ||
| Red Hat Storage 3 | ansible | Will not fix | ||
| Red Hat Ansible Engine 2.7 for RHEL 7 | ansible | Fixed | RHSA-2020:1544 | 22.04.2020 |
| Red Hat Ansible Engine 2.8 for RHEL 7 | ansible | Fixed | RHSA-2020:1543 | 22.04.2020 |
| Red Hat Ansible Engine 2.8 for RHEL 8 | ansible | Fixed | RHSA-2020:1543 | 22.04.2020 |
| Red Hat Ansible Engine 2.9 for RHEL 7 | ansible | Fixed | RHSA-2020:1541 | 22.04.2020 |
| Red Hat Ansible Engine 2.9 for RHEL 8 | ansible | Fixed | RHSA-2020:1541 | 22.04.2020 |
Показывать по
Дополнительная информация
Статус:
7.9 High
CVSS3
Связанные уязвимости
A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.
A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.
A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9. ...
Code Injection, Race Condition, and Execution with Unnecessary Privileges in Ansible
Уязвимость системы управления конфигурациями Ansible, связанная с ошибками синхронизации при использовании общего ресурса, позволяющая нарушителю повысить свои привилегии и выполнить произвольный код
7.9 High
CVSS3