Ansible 1.6.7 - security release

Hi everyone,

Today we are updating Ansible to 1.6.7 to upgrade security based on untrusted or hidden inputs.

As you remember, we previously made some previous updates based on some security findings from two individuals, in this case, a variation from one of these same folks was shared later by ocert.org via Brian Ferring, and we want to close this off as well.

Two CVEs are mentioned below.

  • Strip lookup calls out of inventory variables and clean unsafe data

returned from lookup plugins (CVE-2014-4966)

  • Make sure vars don’t insert extra parameters into module args and prevent

duplicate params from superseding previous params (CVE-2014-4967)

One exploit involves hiding Jinja2 on the local file system, so you would need to be able to check in code in a playbook repo or on the local disk in a location Ansible would be reading with something like “with_fileglob”, and this would be able to hide commands in ways that were not readily apparent. This is not a remotely leverageable exploit.

The other exploit involves untrusted data in a form where additional arguments are added to commands when things like facts are used in command inputs, or how they can be used to override commands. This can happen when a remote node is compromised and the value of a fact from that node is passed to a module. In most situations, this would only involve the remote node getting different instructions, but in other situations, if using local_action, could result in some things being executed locally (or in the case of delegate_to, on a different node), which is of greater consequence. Use of this would require some knowledge of the playbook configuring the system.

Users should update to 1.6.7 which is now available on releases.ansible.com as well as PyPi, and distributions should be updating shortly.

We greatly appreciate all of the security review recently and having Ansible to be as rock solid as possible is a major priority, well in line with our focus on agent-less management and push-based infrastructure, and sharing as little information with remote nodes as possible, eliminating fileservers, and things like that.

As we have mentioned before, we take security reports exceptionally seriously and practice responsible disclosure. If you ever have something to report, email us at security@ansible.com and we’ll respond promptly.

Thanks!

Hi all, we’re aware of some issues regarding shell quoting in this security fix. We are working on a patch to correct this and will be releasing an update soon.

Thanks!