diff options
Diffstat (limited to 'releasenotes/notes/ansible-plugin-security-90ecd81635e12179.yaml')
-rw-r--r-- | releasenotes/notes/ansible-plugin-security-90ecd81635e12179.yaml | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/releasenotes/notes/ansible-plugin-security-90ecd81635e12179.yaml b/releasenotes/notes/ansible-plugin-security-90ecd81635e12179.yaml new file mode 100644 index 000000000..4c22ebcf1 --- /dev/null +++ b/releasenotes/notes/ansible-plugin-security-90ecd81635e12179.yaml @@ -0,0 +1,31 @@ +--- +security: + - | + A vulnerability which allowed the execution of untrusted code on + the executor was fixed. + + Zuul restricts the Ansible modules and plugins which can be used + in the `untrusted` security context (i.e., untrusted projects). + It also prohibits running programs on the Zuul executor in the + untrusted security context. + + Ansible 2.8 and later versions support referencing builtin modules + using the `ansible.builtin.<name>` alias. Playbooks which use + this mechanism can bypass Zuul's security restrictions and run + arbitrary local code or otherwise restricted modules. + + Zuul's use of bubblewrap means that any commands executed via this + vulnerability would still be contained within the restricted + environment, meaning that they can not access files outside of the + build directory or continue running longer than the playbook. But + they may have been able to access files within the build directory + but outside of the `work/` directory, as well as potentially + exploit any kernel or hypervisor privilege escalation + vulnerabilities. + + The Zuul team now considers the restricted Ansible environment to + be ineffective as a security mechanism and is developing plans to + remove the restrictions and rely entirely on bubblewrap in the + future. These changes will occur in a future release of Zuul + (likely 6.0.0) and will be preceded by more details about the + change. |