CVE-2016-9587: an unpleasant Ansible vulnerability
CVE-2016-9587: an unpleasant Ansible vulnerability
[Security] Posted Jan 11, 2017 23:03 UTC (Wed) by corbet
The Ansible project is currently posting release candidates for the 2.1.4
and 2.2.1 releases. They fix an important security bug:
"CVE-2016-9587 is rated as HIGH in risk, as a compromised remote
system being managed via Ansible can lead to commands being run on the
Ansible controller (as the user running the ansible or ansible-playbook
command).
" Until this release is made, it would make sense to be
especially careful about running Ansible against systems that might have
been compromised.
Update: see this advisory for much more detailed information.