Today, Ansible patched several vulnerabilities of high impact that were found and reported by Computest. Ansible is a popular configuration management tool, that is used to manage the configurations of large numbers of servers. The vulnerabilities allow an attacker who has compromised a single machine, to compromise the Ansible controller as well, thereby gaining access to the entire server park managed by that controller.
If you make use of Ansible in your infrastructure, it is recommendable to upgrade to the fixed versions (2.1.4 and 2.2.1) as soon as possible.
Computest thanks Ansible for their quick and professional response in the disclosure process. More information can be found at:
Our advisory with technical details: https://www.computest.nl/advisories/CT-2017-0109_Ansible.txt
Ansible publication: https://groups.google.com/forum/#!topic/ansible-devel/SyrgcUySAIQ
Fixes on github: github fix