Number: AV17-005
Date: 11 January 2017
Purpose
The purpose of this advisory is to bring attention to the recently released security updates for Ansible.
Assessment
Security updates were released for Ansible to address a vulnerability (high). Exploitation of this vulnerability could allow a malicious attacker to execute commands on a host's associated Ansible controller. This ability could be leveraged to compromise other hosts managed by an exploited Ansible controller.
Ansible is an open-source IT infrastructure automation engine. It automates application deployment/management, configuration management and cloud provisioning.
Affected versions:
Ansible versions 2.1.x prior to 2.1.4 RC1
Ansible versions 2.2.x prior to 2.2.1 RC3
CVE Reference: CVE-2016-9587
Suggested action
CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.
References
Ansible Security Advisory:
https://groups.google.com/forum/#!topic/ansible-devel/SyrgcUySAIQ
Security Researcher – Computest Advisory:
https://www.computest.nl/advisories/CT-2017-0109_Ansible.txt