Bug 1760593 (CVE-2019-14858) - CVE-2019-14858 ansible: sub parameters marked as no_log are not masked in certain failure scenarios
Summary: CVE-2019-14858 ansible: sub parameters marked as no_log are not masked in cer...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14858
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1760594 1760595 1760596 1760597 1760598 1760599 1760600 1766391 1766392 1766393 1766409 1769190
Blocks: 1760566
TreeView+ depends on / blocked
 
Reported: 2019-10-10 21:45 UTC by Borja Tarraso
Modified: 2021-02-16 21:16 UTC (History)
46 users (show)

Fixed In Version: ansible-engine 2.6.20, ansible-engine 2.7.14, ansible-engine 2.8.6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in ansible. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.
Clone Of:
Environment:
Last Closed: 2019-10-25 00:51:20 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3864 0 None None None 2019-11-13 04:59:43 UTC
Red Hat Product Errata RHBA-2019:3947 0 None None None 2019-11-25 08:55:10 UTC
Red Hat Product Errata RHSA-2019:3201 0 None None None 2019-10-24 13:01:28 UTC
Red Hat Product Errata RHSA-2019:3202 0 None None None 2019-10-24 13:01:12 UTC
Red Hat Product Errata RHSA-2019:3203 0 None None None 2019-10-24 13:06:51 UTC
Red Hat Product Errata RHSA-2019:3207 0 None None None 2019-10-24 14:27:30 UTC
Red Hat Product Errata RHSA-2020:0756 0 None None None 2020-03-10 11:21:43 UTC

Description Borja Tarraso 2019-10-10 21:45:05 UTC 
When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.
Comment 1 Borja Tarraso 2019-10-10 21:45:07 UTC 
Acknowledgments:

Name: Sam Doran (Red Hat)
Comment 5 Salvatore Bonaccorso 2019-10-12 07:11:21 UTC 
Do you have an upstream reference on this issue?
Comment 6 Toshio Kuratomi 2019-10-14 15:53:29 UTC 
Upstream fix is: https://github.com/ansible/ansible/pull/63405

Note that the code has changed quite a bit here so some of the backprots will be very different looking.
Comment 8 errata-xmlrpc 2019-10-24 13:01:10 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.7 for RHEL 7

Via RHSA-2019:3202 https://access.redhat.com/errata/RHSA-2019:3202
Comment 9 errata-xmlrpc 2019-10-24 13:01:26 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.6 for RHEL 7

Via RHSA-2019:3201 https://access.redhat.com/errata/RHSA-2019:3201
Comment 10 errata-xmlrpc 2019-10-24 13:06:49 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.8 for RHEL 7
  Red Hat Ansible Engine 2.8 for RHEL 8

Via RHSA-2019:3203 https://access.redhat.com/errata/RHSA-2019:3203
Comment 11 errata-xmlrpc 2019-10-24 14:27:28 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2019:3207 https://access.redhat.com/errata/RHSA-2019:3207
Comment 12 Product Security DevOps Team 2019-10-25 00:51:20 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14858
Comment 16 Summer Long 2019-10-29 00:32:06 UTC 
Created ansible tracking bugs for this issue:

Affects: openstack-rdo [bug 1766409]
Comment 22 errata-xmlrpc 2020-03-10 11:21:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)
  Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS

Via RHSA-2020:0756 https://access.redhat.com/errata/RHSA-2020:0756
Comment 23 Eric Christensen 2020-03-17 18:54:43 UTC 
Statement:

Fixes for Red Hat OpenStack Platform (RHOSP) have been set to 'Moderate' because flaw exploitation requires running Ansible with increased verbosity which is not the RHOSP deployment default.

Red Hat Gluster Storage no longer maintains its own version of Ansible. The fix will be provided from core Ansible.
Comment 28 Yadnyawalk Tale 2020-04-22 10:22:36 UTC 
Red Hat CloudForms 5.10 (4.7) and 5.11 (5.0) do not ship `ansible` package, it is provided by the official Ansible repository.
Note You need to log in before you can comment on or make changes to this bug.