Protecting your servers against ImageTragick (CVE-2016-3714) and CVE-2016-5118 using Ansible
June 2, 2016
On May 3rd, details were published about a vulnerability in ImageMagick (CVE-2016-3714), allowing remote code execution if you process user submitted images. Exploits for this vulnerability are being used in the wild.
The following ansible playbook may be used to apply the policy file mitigation discussed on that website. If the server(s) you wish to protect has a policy.xml file in a different location, be sure to modify the with_items list of the first task.
Update 2nd of June: on May 29th, another vulnerability was disclosed regarding ImageMagick.
This vulnerability was assigned CVE-2016-5118. It is possible to execute shell commands by using a pipe in the file open syntax. The playbook
below has been modified to protect agains this vulnerability as well, with special thanks to
Note: Updated packages have been released that fix this vulnerability for
Ubuntu and Debian. The updated packages make the policy.xml file change unnecessary (but
it wont hurt either).
To execute the playbook, save it in a file called imagetragick.yml and execute it using ansible-playbook: