
RedHat Ansible High-Risk Vulnerability - fapjacks
https://lwn.net/Articles/711357/
======
ivank
[https://news.ycombinator.com/item?id=13380809](https://news.ycombinator.com/item?id=13380809)

------
fapjacks
There is some interesting discussion in this LWN subscriber link
([https://lwn.net/SubscriberLink/711791/5109edb099f55603/](https://lwn.net/SubscriberLink/711791/5109edb099f55603/)).
I'm not sure about posting subscriber-only links, but this was pasted in a
well-trafficked IRC channel on Freenode, and LWN seems to want these links
spread far and wide as long as it isn't used to subvert their subscription
model.

------
rarrrrrr
Odd. I reported this very same form of vulnerability to the Ansible team in
the 1.5.4 series in 2014, where the code basically eval'd the "facts"
discovered from a system under management.

There was this "safe_eval" function which filtered input in a way quite
inconsistent with its name. The Ansible team was responsive and pleasant to
work with.

[https://groups.google.com/forum/#!topic/ansible-
project/MUQx...](https://groups.google.com/forum/#!topic/ansible-
project/MUQxiKwSQDc)

But I suspect lots of remote control and monitoring software products might
have security bugs like this where they assume that the returned information
from systems under management are trustworthy.

Edit to add: Here's the patch made to safe_eval. I had suggested using
literal_eval instead but I think they didn't want to require Python 2.6+.
[https://github.com/ansible/ansible/commit/998793fd0ab55705d5...](https://github.com/ansible/ansible/commit/998793fd0ab55705d57527a38cee5e83f535974c)

------
SFJulie
It has a smell of Shellshock. The interpretation of variable passed for
flexibility that resulted in a huge whack a mole of bash. 2 years later
shellshock is not officially fixed.
[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-71...](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169)

------
lobo_tuerto
If someone was moving away from Ansible, what would be the best option(s) to
consider?

~~~
lucd
You may also consider CFEngine. Each solution has its forces and weaknesses,
what will you be using it for ?

~~~
lobo_tuerto
I was asking just out of curiosity. I'm not really an Ansible user, but I was
looking forward to learn it as part of my own devops education stuff.

