Ansible: Remote execution of arbitrary code A vulnerability in Ansible may allow rogue clients to execute commands on the Ansible controller. ansible 2017-01-31 2017-01-31 605342 remote 2.1.4.0_rc3 2.2.1.0_rc5 2.1.4.0_rc3 2.2.1.0_rc5

Ansible is a radically simple IT automation platform.

An input validation vulnerability was found in Ansible’s handling of data sent from client systems.

An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could execute arbitrary code on the Ansible server using the Ansible-server privileges.

There is no known workaround at this time.

All Ansible 2.1.x users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/ansible-2.1.4.0_rc3"

All Ansible 2.2.x users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/ansible-2.2.1.0_rc5"
CVE-2016-9587 whissi whissi