Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 22 Jul 2014 03:36:37 +0200
From: Andrea Barisani <>
Subject: [oCERT-2014-004] Ansible input sanitization errors

#2014-004 Ansible input sanitization errors


The Ansible project is an open source configuration management platform.

The Ansible platform suffers from input sanitization errors that allow
arbitrary code execution as well as information leak, in case an attacker is
able to control certain playbook variables.

The first vulnerability involves the escalation of a local permission access
level into arbitrary code execution. The code execution can be triggered by
interpolation of file names maliciously crafted as lookup plugin commands, in
combination with its pipe feature.

The second vulnerability concerns the unsafe parsing of action arguments in
the face of an attacker controlling variable data (whether fact data,
with_fileglob data, or other sources), allowing an attacker to supply their
own options to an action. The impact of this is dependent on the action
module the attacker targets. For example, an attacker controlling variables
passed to the copy or template actions would be able to trigger arbitrary
code execution (in addition to simple information leakage) via the validate
option's acceptance of arbitrary shell code.

Affected version:

Ansible <= 1.6.6

Fixed version:

Ansible >= 1.6.7

Credit: vulnerability report received from Brian Harring <ferringb AT>.

CVE: CVE-2014-4966 (lookup function), CVE-2014-4967 (action arguments)


2014-07-01: vulnerability report received
2014-07-02: contacted Ansible maintainers
2014-07-02: disclosure coordinated on 2014-07-17
2014-07-15: assigned CVEs
2014-07-06: maintainer provides patch for review
2014-07-17: maintainer provides updated patch based on reporter's feedback
2014-07-17: embargo date lifted due to ongoing evaluations of patch
            effectiveness and additional reporter feedback
2014-07-17: maintainer provides updated patch which provides solutions for
            additional findings
2014-07-18: disclosure date updated to 2014-07-21
2014-07-18: maintainer provides updated patch for review
2014-07-20: maintainer provides updated patch indicating all reported
            issues as closed
2014-07-21: advisory release



Andrea Barisani |                Founder & Project Coordinator
          oCERT | OSS Computer Security Incident Response Team

 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
        "Pluralitas non est ponenda sine necessitate"

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.