#VU23449 OS Command Injection in Ansible - CVE-2019-14904


| Updated: 2020-01-24

Vulnerability identifier: #VU23449

Vulnerability risk: Medium

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-14904

CWE-ID: CWE-78

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ansible
Server applications / Remote management servers, RDP, SSH

Vendor: Red Hat Inc.

Description

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation when processing zone names within the solaris_zone module. A remote uuser can provide a specially crafted zone name as a parameter to the os.system() call and execute arbitrary OS commands on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Ansible: 2.7.0 rc1 - 2.7.15, 2.8.0 rc1 - 2.8.7, 2.9.0 rc1 - 2.9.1

External links
https://bugzilla.redhat.com/show_bug.cgi?id=1776944
https://github.com/ansible/ansible/blob/8c74df5e67fcae15d5d050ea1ffb4d6d1aa9070c/lib/ansible/modules/system/solaris_zone.py#L313
https://access.redhat.com/errata/RHSA-2020:0218
https://access.redhat.com/errata/RHSA-2020:0217
https://access.redhat.com/errata/RHSA-2020:0216
https://access.redhat.com/errata/RHSA-2020:0215

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


openEuler 20.03 LTS SP1 update for ansible
openEuler 20.03 LTS SP2 update for ansible
Debian update for ansible
OpenSUSE Linux update for ansible
OpenSUSE Linux update for ansible
Fedora EPEL 8 update for ansible
Fedora EPEL 7 update for ansible
Fedora 31 update for ansible
Fedora 30 update for ansible
OS Command Injection in ansible (Alpine package)