blob: 4c22ebcf18c4f57f6abb31184249839a6fb93bc1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
---
security:
- |
A vulnerability which allowed the execution of untrusted code on
the executor was fixed.
Zuul restricts the Ansible modules and plugins which can be used
in the `untrusted` security context (i.e., untrusted projects).
It also prohibits running programs on the Zuul executor in the
untrusted security context.
Ansible 2.8 and later versions support referencing builtin modules
using the `ansible.builtin.<name>` alias. Playbooks which use
this mechanism can bypass Zuul's security restrictions and run
arbitrary local code or otherwise restricted modules.
Zuul's use of bubblewrap means that any commands executed via this
vulnerability would still be contained within the restricted
environment, meaning that they can not access files outside of the
build directory or continue running longer than the playbook. But
they may have been able to access files within the build directory
but outside of the `work/` directory, as well as potentially
exploit any kernel or hypervisor privilege escalation
vulnerabilities.
The Zuul team now considers the restricted Ansible environment to
be ineffective as a security mechanism and is developing plans to
remove the restrictions and rely entirely on bubblewrap in the
future. These changes will occur in a future release of Zuul
(likely 6.0.0) and will be preceded by more details about the
change.
|
