A vulnerability in Ansible may allow rogue clients to execute commands on the Ansible controller.
Package | app-admin/ansible on all architectures |
---|---|
Affected versions | < 2.1.4.0_rc3 < 2.2.1.0_rc5 |
Unaffected versions | >= 2.1.4.0_rc3 >= 2.2.1.0_rc5 |
Ansible is a radically simple IT automation platform.
An input validation vulnerability was found in Ansible’s handling of data sent from client systems.
An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could execute arbitrary code on the Ansible server using the Ansible-server privileges.
There is no known workaround at this time.
All Ansible 2.1.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/ansible-2.1.4.0_rc3"
All Ansible 2.2.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/ansible-2.2.1.0_rc5"
Release date
January 31, 2017
Latest revision
January 31, 2017: 1
Severity
normal
Exploitable
remote
Bugzilla entries