Ansible Vulnerabilities 2019
Christmas is closing by and we move in to the christmas feelings
we wanted to write something extra for christmas.
A tool we all love more then santa is Ansible !
Ansible is a opensource tool written in Python
used by system administrators to manage and deploy computer
servers and virtual machines.
Several vulnerabilities has now been reported that affects
A vulnerability has been reported and found in Ansible Tower
which is a project by Red Hat.
A bug was found in Ansible Tower where the RHSM credentials
are saved in plain text in the database
that is available at ‘/api/v2/config’ after applying
the Ansible Tower license. Attackers with this information
could log into RHSM(Red Hat Subscription Management)
and modify licenses and make other changes.
The vulnerability has been given the CVE of CVE-2019–14890
The bug has been reported to redhat and patched in
the following link:
Summary from the github issue
Convert CLI provided passwords to text initially, to
prevent unsafe context being lost when converting
from bytes->text during
post processing of PlayContext.
This prevents CLI provided passwords from
being incorrectly templated (CVE-2019-14856)
Update AnsibleUnsafeText and AnsibleUnsafeBytes
to maintain unsafe context by overriding .encode and .decode. This
prevents future issues with to_text, to_bytes, or to_native
removing the unsafe wrapper when converting between string types
The patch for this vulnerability has been patched and the
code has changed
- > **security issue** - Convert CLI provided passwords to text initially, to prevent unsafe context being lost when converting from bytes->text during post processing of PlayContext. This prevents CLI provided passwords from being incorrectly templated. - > **security issue** - Update ``AnsibleUnsafeText`` and ``AnsibleUnsafeBytes`` to maintain unsafe context by overriding ``.encode`` and ``.decode``. This prevents future issues with ``to_text``, ``to_bytes``, or ``to_native`` removing the unsafe wrapper when converting between string types.
The vulnerability has been given the CVE of CVE-2019–14856
A vulnerability was found in the gcp_storage_object.py function which cause the a failure when calling the service_account_contents function. The vulnerability has been given the CVE of CVE-2019–10217 The vulnerability was quickly reported to ansible throw a github issue the problem was quickly addressed and patched. https://github.com/ansible/ansible/issues/56269
From us all to you all, we from firo wishes you a merry christmas
with a happy anouncement that we have pas over 300 000 unique views
on this blog! We are happy to provide you with this blog
and happily wishes you a merry christmas and a happy new year