Fixing ImageMagick CVE-2016–3714 With Ansible
There’s a recently discovered vulnerability in ImageMagick(CVE-2016-3714) that’s incredibly easy to patch via Ansible. To address the patch we’ll utilize ImageMagick’s policy.xml file which is a recommended fix.
We’ll utilize the copy module which will help us copy a new policy file within the files/ directory of our role up to the server.
Assuming we have a role that installs imagemagick called imagemagick with a main task file containing:
roles/nickhammond.imagemagick/tasks/main.yml
---
- name: Install ImageMagick
apt: name=imagemagick state=present
We can go ahead and create a new policy.xml file with the contents of the recommended fix in it:
roles/nickhammond.imagemagick/files/imagemagick.policy.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policymap [
<!ELEMENT policymap (policy)+>
<!ELEMENT policy (#PCDATA)>
<!ATTLIST policy domain (delegate|coder|filter|path|resource) #IMPLIED>
<!ATTLIST policy name CDATA #IMPLIED>
<!ATTLIST policy rights CDATA #IMPLIED>
<!ATTLIST policy pattern CDATA #IMPLIED>
<!ATTLIST policy value CDATA #IMPLIED>
]>
<policymap>
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
</policymap>
Note: Take a look at /etc/ImageMagick/policy.xml before replacing it, there’s a few other useful policy options that you might be interested in that are commented out by default.
Now that we’ve built our new policy file we can go ahead and create a task to copy it to any machine. Add a task to the main task file so that it now contains the following:
---
- name: Install ImageMagick
apt:
name: imagemagick
state: present
tags: [imagemagick]
- name: Add ImageMagick policy file for CVE-2016–3714
copy:
src: imagemagick.policy.xml
dest: /etc/ImageMagick/policy.xml
tags: [imagemagick]
Typically you’ll install ImageMagick within some other role, if you tag the task though you can just run the ImageMagick specific tasks and target the specific vulnerability.
Now we can utilize our playbook that includes our ImageMagick role to patch the vulnerability. Here’s a simple playbook that we can use to include our playbook and run it.
image-server.yml
---
- hosts: all
roles:
- nickhammond.imagemagick
From here you can use various inventory and limit combinations to target the specific servers that this needs to be released on and run the patch.
ansible-playbook -i inventory/production -l image -s image-server.yml -K -t imagemagick
This ad-hoc command runs with the following options:
-i- Uses our production inventory file-l- Limits the servers to a host pattern matching “image”-s- Runs as sudo since the file is owned by root- Uses the image-server.yml playbook
-K- Prompts for the sudo password, not needed if you have passwordless sudo-t- Only runs tasks tagged withimagemagick
If you’d like to do a quick sanity check before running this everywhere you can always use -C to check what will actually be changed.
Once you’ve run that on your servers you can then verify that the policies are in place with convert -list policy, it’ll look similar to this output:
$ convert -list policy
Path: /etc/ImageMagick/policy.xml
Policy: Coder
rights: None
pattern: EPHEMERAL
Policy: Coder
rights: None
pattern: URL
Policy: Coder
rights: None
pattern: HTTPS
Policy: Coder
rights: None
pattern: MVG
Policy: Coder
rights: None
pattern: MSL