The company is issuing two new release candidates to address CVE-2016-9587.
The company is issuing two new release candidates to address CVE-2016-9587.

A bug rated as "high" in risk has been detected in Ansible, an agentless open source IT automation framework that assists IT administrators in automating daily tasks.

The company is issuing two new release candidates to address CVE-2016-9587, James Cammarata, a senior principal software engineer for Ansible (a division of Red Hat), announced on a Google forum.

The vulnerability is a high risk, he explained, because "a compromised remote system being managed via Ansible can lead to commands being run on the Ansible controller (as the user running the Ansible or Ansible-playbook command)."

He asked that systems administrators apply the patches (2.1.4 RC1 and 2.2.1 RC3) so the final release can be distributed as soon as possible.

The bug was first detected by a Netherlands-based firm, Computest, which in its advisory explained that the bug could  "allow a compromised host to execute commands on the Ansible controller and thus gain access to the other hosts controlled by that controller."

The Computest advisory explained that the issue lied in how the Ansible controller manages Facts, an API feature that retrieves data about remote systems.

Computest praised Ansible for its response in issuing a fix, and Ansible's Cammarata thanked the security team at Computest, "who did an amazing job of finding the flaws and creating an excellent set of tests to reproduce them for us."