Описание
A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.
A flaw was found in the Ansible Engine when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.
Отчет
Ansible Engine 2.8.14 and 2.9.12 as well as previous versions versions are affected. Ansible Tower 3.7.2 and 3.6.5 as well as previous versions are affected for containerized versions and has been fixed indirectly in the 3.6.6 and 3.7.3 releases. For non-containerized Ansible Tower versions, the fix is provided via yum update or yum install. Red Hat Gluster Storage(RHGS) 3, Red Hat Ceph Storage (RHCS) 2 and 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository. As RHCS 2 and 3 do not use dnf, impact rating is reduced to Low. RHCS still ship ansible separately for Ceph on Ubuntu, but Ubuntu is not impacted by this vulnerability as it uses apt instead of dnf. Red Hat OpenStack Platform 10 and 13 ship a vulnerable version of Ansible, however installation of packages is done via yum instead of dnf so this flaw will have no effect.
Меры по смягчению последствий
Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Tower 3 | ansible | Will not fix | ||
| Red Hat Ceph Storage 2 | ansible | Will not fix | ||
| Red Hat Ceph Storage 3 | ansible | Will not fix | ||
| Red Hat OpenStack Platform 10 (Newton) | ansible | Will not fix | ||
| Red Hat OpenStack Platform 13 (Queens) | ansible | Will not fix | ||
| Red Hat Storage 3 | ansible | Will not fix | ||
| Red Hat Ansible Engine 2.8 for RHEL 7 | ansible | Fixed | RHSA-2020:3600 | 01.09.2020 |
| Red Hat Ansible Engine 2.8 for RHEL 8 | ansible | Fixed | RHSA-2020:3600 | 01.09.2020 |
| Red Hat Ansible Engine 2.9 for RHEL 7 | ansible | Fixed | RHSA-2020:3601 | 01.09.2020 |
| Red Hat Ansible Engine 2.9 for RHEL 8 | ansible | Fixed | RHSA-2020:3601 | 01.09.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.3 Medium
CVSS3
Связанные уязвимости
A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.
A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.
A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before ...
Improper Verification of Cryptographic Signature in ansible
Уязвимость модуля dnf системы управления конфигурациями Ansible, связанная с некорректным подтверждением криптографической подписи данных, позволяющая нарушителю нарушить целостность данных, а также вызвать отказ в обслуживании
EPSS
6.3 Medium
CVSS3