Ansible: Remote execution of arbitrary code — GLSA 201701-77

A vulnerability in Ansible may allow rogue clients to execute commands on the Ansible controller.

Affected packages

Package	app-admin/ansible on all architectures
Affected versions	< 2.1.4.0_rc3 < 2.2.1.0_rc5
Unaffected versions	>= 2.1.4.0_rc3 >= 2.2.1.0_rc5

Background

Ansible is a radically simple IT automation platform.

Description

An input validation vulnerability was found in Ansible’s handling of data sent from client systems.

Impact

An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could execute arbitrary code on the Ansible server using the Ansible-server privileges.

Workaround

There is no known workaround at this time.

Resolution

All Ansible 2.1.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-admin/ansible-2.1.4.0_rc3"

All Ansible 2.2.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-admin/ansible-2.2.1.0_rc5"

References

CVE-2016-9587

Release date
January 31, 2017

Latest revision
January 31, 2017: 1

Severity
normal

Exploitable
remote

Bugzilla entries

605342