Playbook #279
/home/ssh-gateway/ansible/RM9537.yaml
Execution
Date 08 May 2024 13:13:13 +0100
Duration 00:00:03.63
Controller ssh-gw-4.layershift.com
User root
Versions
Ansible 2.16.4
ara 1.7.1 / 1.7.2.dev2
Python 3.10.10
Summary
1 Hosts
3 Tasks
3 Results
1 Plays
1 Files
0 Records
remote_user:root check:False tags:all subset:kuly-c7-uk.uk.easy-server.com

File: /home/ssh-gateway/ansible/RM9537.yaml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
---
- name: Mitigating CVE-2024-2961
  hosts: all, !wolf-serv1.uk.plesk-server.com
  gather_facts: false

  tasks:
    - name: Check if gconv-modules-extra.conf exists
      ansible.builtin.stat:
        path: /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf
      register: gconv_modules_extra_exist
    - name: Check if gconv-modules exists
      ansible.builtin.stat:
        path: /usr/lib64/gconv/gconv-modules
      register: gconv_modules_exist
    - name: Match and comment out block in the configuration file
      ansible.builtin.lineinfile:
        backup: true
        path: "{{ '/usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf' if gconv_modules_extra_exist.stat.exists else '/usr/lib64/gconv/gconv-modules' }}"
        block: |
          # The following block is commented out due to CVE-2024-2961 mitigation
          alias   ISO2022CNEXT//          ISO-2022-CN-EXT//
          module  ISO-2022-CN-EXT//       INTERNAL                ISO-2022-CN-EXT 1
          module  INTERNAL                ISO-2022-CN-EXT//       ISO-2022-CN-EXT 1
        marker: "# {mark} Start/End of CVE-2024-2961 mitigation block"
      register: config_changes
      notify:
        - run_iconvconfig
      when: gconv_modules_extra_exist.stat.exists or gconv_modules_exist.stat.exists

  handlers:
    - name: Run iconvconfig
      ansible.builtin.command: iconvconfig
      when: config_changes.changed
      listen: run_iconvconfig