Headline
CVE-2020-10684: code injection when using ansible_facts as a subkey
A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.
Description Borja Tarraso 2020-03-20 13:49:40 UTC
Keys for ansible_facts can be overwritten when ansible_facts is added itself as a subkey. This action would happen after cleaning with unprocessed subkeys, as ansible_facts could be added as a subkey.
Comment 1 Borja Tarraso 2020-03-20 13:49:48 UTC
Acknowledgments:
Name: Damien Aumaitre (Quarkslab), Nicolas Surbayrole (Quarkslab)
Comment 3 Borja Tarraso 2020-03-20 13:50:03 UTC
Mitigation:
Currently, there is not a known mitigation except avoiding the functionality of using ansible_facts as a subkey.
Comment 6 Bill Nottingham 2020-03-23 17:50:56 UTC
I am confused by that statement. Ansible Tower also does not maintain its own version of Ansible.
Comment 7 Borja Tarraso 2020-03-23 19:04:25 UTC
Created ansible tracking bugs for this issue:
Affects: openstack-rdo [bug 1816309]
Comment 8 Borja Tarraso 2020-03-23 19:07:45 UTC
Created ansible tracking bugs for this issue:
Affects: epel-all [bug 1816311] Affects: fedora-all [bug 1816310]
Comment 11 Salvatore Bonaccorso 2020-03-24 06:40:41 UTC
Hi Borja,
Sorry for beeing annoying again. Once reported upstream can you reference the upstream issue here as well?
Regards, Salvatore
Comment 12 Yadnyawalk Tale 2020-03-24 07:04:26 UTC
Removing CloudForms from affect list. CloudForms 5.10 & 5.11 both subscribe to Ansible repos, so we do not need to include cfme5/ansible-tower in affects nor file trackers. ansible_engine/ansible_tower affects entries are sufficient to inform Cloudforms customers.
Comment 25 Summer Long 2021-01-14 05:30:23 UTC
Statement:
* Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected. * Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected. * Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains their own version of Ansible. The fix will be consumed from core Ansible. But we still ship ansible separately for ceph ubuntu. * Red Hat OpenStack Platform does package the affected code. However, because RHOSP does not use ansible_facts as a subkey directly, the RHOSP impact has been reduced to Moderate and no update will be provided at this time for the RHOSP ansible package.