Ansible: Remote execution of arbitrary code — GLSA 201701-77

A vulnerability in Ansible may allow rogue clients to execute commands on the Ansible controller.

Affected Packages

app-admin/ansible on all architectures
Affected versions < 2.1.4.0_rc3
< 2.2.1.0_rc5
Unaffected versions >= 2.1.4.0_rc3
>= 2.2.1.0_rc5

Background

Ansible is a radically simple IT automation platform.

Description

An input validation vulnerability was found in Ansible’s handling of data sent from client systems.

Impact

An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could execute arbitrary code on the Ansible server using the Ansible-server privileges.

Workaround

There is no known workaround at this time.

Resolution

All Ansible 2.1.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-admin/ansible-2.1.4.0_rc3"
 

All Ansible 2.2.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-admin/ansible-2.2.1.0_rc5"
 

References

Release Date
January 31, 2017

Latest Revision
January 31, 2017: 1

Severity
normal

Exploitable
remote

Bugzilla entries