Understanding and Addressing Ansible Vulnerabilities in Ubuntu
Canonical has released crucial Ubuntu security updates to address multiple vulnerabilities in Ansible, a popular configuration management, deployment, and task execution system. These updates are available for various Ubuntu releases, including Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu 18.04 ESM, and Ubuntu 16.04 ESM. This article explores the specifics of these vulnerabilities, their potential impacts, and the importance of applying these updates promptly.
Ansible Vulnerabilities Fixed in Ubuntu
Two significant vulnerabilities in Ansible were fixed in the recent updates:
CVE-2022-3697 (CVSS v3 Severity Score: 7.5 High)
A vulnerability was discovered in how Ansible handled certain inputs when using the tower_callback parameter. If a user or automated system was tricked into opening a specially crafted input file, a remote attacker could exploit this vulnerability to obtain sensitive information. This issue affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
CVE-2023-5764 (CVSS v3 Severity Score: 7.8 High)
This vulnerability involved Ansible’s handling of specific inputs. Similar to the previous issue, if a user or an automated system opened a specially crafted input file, a remote attacker could potentially use this flaw to perform a Template Injection.
Importance of Applying Updates
Given the high severity scores of these Ansible vulnerabilities, it is crucial to apply the security updates promptly to secure your systems. For supported Ubuntu releases like Ubuntu 22.04 LTS and Ubuntu 20.04 LTS, you can upgrade your Ansible package to the latest version to mitigate these risks.
Support for End-of-Life Ubuntu Versions
Ubuntu 16.04 reached its end of life in April 2021 and Ubuntu 18.04 in May 2023. This means they no longer receive official security updates from Canonical unless you purchase an Ubuntu Pro subscription. While upgrading to a supported Long-Term Support (LTS) version of Ubuntu is strongly recommended for long-term security, there are alternative solutions for maintaining security on these unsupported versions for a limited time.
TuxCare’s Extended Lifecycle Support (ELS) offers continued security updates for an additional five years beyond the official end of life date. It covers the Linux kernel, common shared libraries like glibc, openssh, openssl, and various packages like zlib, httpd, mysql, php, python, and more.
The ELS team has already released patches for the aforementioned Ansible vulnerabilities. Users can check the release status of these patches across different operating systems using the TuxCare CVE tracker.
Conclusion
Addressing vulnerabilities in critical software like Ansible is essential for maintaining the security and stability of IT infrastructure. By applying the latest security updates provided by Canonical and leveraging extended support services like TuxCare’s ELS, organizations can protect their systems from potential exploits and ensure continuous operation.
In addition to Ubuntu, TuxCare offers Extended Lifecycle Support for other Linux distributions, including CentOS 6, CentOS 7, CentOS 8, CentOS Stream 8, Oracle Linux 6, as well as outdated versions of PHP and Python. This extended support ensures that even systems running older software versions remain secure against newly discovered vulnerabilities.
Source: USN-6846-1


