There’s a recently discovered vulnerability in ImageMagick(CVE-2016-3714) that’s incredibly easy to patch via Ansible. To address the patch we’ll utilize ImageMagick’s policy.xml file which is a recommended fix.
We’ll utilize the copy module which will help us copy
a new policy file within the
files/ directory of our role up to the server.
Assuming we have a role that installs imagemagick called imagemagick with a main task file containing:
--- - name: Install ImageMagick apt: name=imagemagick state=present
We can go ahead and create a new policy.xml file with the contents of the recommended fix in it:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE policymap [ <!ELEMENT policymap (policy)+> <!ELEMENT policy (#PCDATA)> <!ATTLIST policy domain (delegate|coder|filter|path|resource) #IMPLIED> <!ATTLIST policy name CDATA #IMPLIED> <!ATTLIST policy rights CDATA #IMPLIED> <!ATTLIST policy pattern CDATA #IMPLIED> <!ATTLIST policy value CDATA #IMPLIED> ]> <policymap> <policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="URL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" /> </policymap>
Note: Take a look at
/etc/ImageMagick/policy.xml before replacing it, there’s a few other useful
policy options that you might be interested in that are commented out by default.
Now that we’ve built our new policy file we can go ahead and create a task to copy it to any machine. Add a task to the main task file so that it now contains the following:
--- - name: Install ImageMagick apt: name: imagemagick state: present tags: [imagemagick] - name: Add ImageMagick policy file for CVE-2016–3714 copy: src: imagemagick.policy.xml dest: /etc/ImageMagick/policy.xml tags: [imagemagick]
Typically you’ll install ImageMagick within some other role, if you tag the task though you can just run the ImageMagick specific tasks and target the specific vulnerability.
Now we can utilize our playbook that includes our ImageMagick role to patch the vulnerability. Here’s a simple playbook that we can use to include our playbook and run it.
--- - hosts: all roles: - nickhammond.imagemagick
From here you can use various inventory and limit combinations to target the specific servers that this needs to be released on and run the patch.
ansible-playbook -i inventory/production -l image -s image-server.yml -K -t imagemagick
This ad-hoc command runs with the following options:
-i- Uses our production inventory file
-l- Limits the servers to a host pattern matching “image”
-s- Runs as sudo since the file is owned by root
- Uses the image-server.yml playbook
-K- Prompts for the sudo password, not needed if you have passwordless sudo
-t- Only runs tasks tagged with
If you’d like to do a quick sanity check before running this everywhere you can always use
-C to check what
will actually be changed.
Once you’ve run that on your servers you can then verify that the policies are in place with
convert -list policy, it’ll look similar to this output:
$ convert -list policy Path: /etc/ImageMagick/policy.xml Policy: Coder rights: None pattern: EPHEMERAL Policy: Coder rights: None pattern: URL Policy: Coder rights: None pattern: HTTPS Policy: Coder rights: None pattern: MVG Policy: Coder rights: None pattern: MSL