User: Password:
|
|
Subscribe / Log in / New account

CVE-2016-9587: an unpleasant Ansible vulnerability

The Ansible project is currently posting release candidates for the 2.1.4 and 2.2.1 releases. They fix an important security bug: "CVE-2016-9587 is rated as HIGH in risk, as a compromised remote system being managed via Ansible can lead to commands being run on the Ansible controller (as the user running the ansible or ansible-playbook command)." Until this release is made, it would make sense to be especially careful about running Ansible against systems that might have been compromised.

From:  James Cammarata <jcammarata-JjBQs2a79e9BDgjK7y7TUQ-AT-public.gmane.org>
To:  "ansible-project-/JYPxA39Uh5TLH3MbocFFw-AT-public.gmane.org" <ansible-project-/JYPxA39Uh5TLH3MbocFFw-AT-public.gmane.org>, "ansible-devel-/JYPxA39Uh5TLH3MbocFFw-AT-public.gmane.org" <ansible-devel-/JYPxA39Uh5TLH3MbocFFw-AT-public.gmane.org>
Subject:  IMPORTANT - New RCs for Security Bug CVE-2016-9587
Date:  Mon, 9 Jan 2017 10:57:06 -0600
Message-ID:  <CAMFyvFgYBK-Ze4YE5ocxfRVobRCV_WDRmbf8Cj3_dxMMMGJNpA@mail.gmail.com>
Archive-link:  Article

Hi all,

Today we are releasing two new release candidates to address CVE-2016-9587,
which we are removing from embargo today:

2.1.4 RC1
2.2.1 RC3

CVE-2016-9587 is rated as HIGH in risk, as a compromised remote system
being managed
via Ansible can lead to commands being run on the Ansible controller (as
the user
running the ansible or ansible-playbook command).

If you have the ability, please test the above release candidates so that
we can get
the final releases out as quickly as possible.

Finally, thanks to the security team at Computest, who did an amazing job
of finding
the flaws and creating an excellent set of tests to reproduce them for us.

Thanks, and let us know if you run into any problems with the above release
candidates!

James Cammarata

Ansible Lead/Sr. Principal Software Engineer
Ansible by Red Hat
twitter: @thejimic, github: jimi-c

-- 
You received this message because you are subscribed to the Google Groups "Ansible Development"
group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ansible-devel+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit https://groups.google.com/d/optout.
(Log in to post comments)

CVE-2016-9587: an unpleasant Ansible vulnerability

Posted Jan 12, 2017 0:23 UTC (Thu) by prometheanfire (subscriber, #65683) [Link]

We've determined that ansible 1.9.* isn't vulnerable, though take with a grain of salt.

https://bugs.gentoo.org/show_bug.cgi?id=605342#c3

CVE-2016-9587: an unpleasant Ansible vulnerability

Posted Jan 12, 2017 9:50 UTC (Thu) by misc (subscriber, #73730) [Link]

I am a bit annoyed that people freak out about this one, as no one did react to CVE-2016-8628, which was the same exact issue ( https://bugzilla.redhat.com/show_bug.cgi?id=1388113 / https://github.com/ansible/ansible/pull/15925 ). The only difference being that CVE-2016-8628 got rated as Medium, and this one as High, while that's the same, since the advisory of ComputerTest speak of the filtering that was created as part of CVE-2016-8628 without mentioning it ( cf https://www.computest.nl/advisories/CT-2017-0109_Ansible.txt ).


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds