Bug 1403228

Summary: ansible: Variables from vault are being output to console/log when using with_items
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: a.badger, aortega, apevec, arubin, athmanem, ayoung, bleanhar, ccoleman, chrisw, cvsbot-xmlrpc, dedgar, dmcphers, jgoulding, jialiu, jjoyce, jkeck, jmatthew, joelsmith, jokerman, jschluet, kbasil, kdube, kevin, kseifried, kupo, lhh, lmeyer, lpeer, markmc, mark, maxim, mmccomas, mrehak, nthomas, qci-bugzillas, rbryant, rhos-maint, rhs-bugs, sankarshan, sclewis, sgirijan, sisharma, slinaber, smallamp, smohan, ssaha, storage-qa-internal, tcarlin, tdawson, tdecacqu, toromoti, tsanders, tvignaud, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-23 17:58:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1403229, 1403230, 1403231, 1403232    
Bug Blocks: 1403234    

Description Adam Mariš 2016-12-09 13:18:06 UTC 
It was found that variables from vault are being printed to the console/log during the ansible run when using with_items, potentially exposing security-sensitive data.

Upstream bug:

https://github.com/ansible/ansible/issues/14646
Comment 1 Adam Mariš 2016-12-09 13:19:36 UTC 
Created ansible1.9 tracking bugs for this issue:

Affects: fedora-all [bug 1403230]
Affects: epel-all [bug 1403232]
Comment 2 Adam Mariš 2016-12-09 13:20:01 UTC 
Created ansible tracking bugs for this issue:

Affects: fedora-all [bug 1403229]
Affects: epel-all [bug 1403231]
Comment 4 Kurt Seifried 2016-12-23 17:58:47 UTC 
> From: Kurt Seifried
> Ok just to confirm once you set this in the playbook (no_log) it can only
> be overridden by the env var correct?
> 
> "Note that the use of the no_log attribute does not prevent data from
> being shown when debugging Ansible itself via the ANSIBLE_DEBUG
> environment variable."
> 
> however both of these are essentially under administrative control on the
> ansible server, by users that would also have access to the ansible vault,
> correct?

Correct - passing ANSIBLE_DEBUG implies you're running the playbook, and
to run the playbook, you'd have access to the vault file and would need
the vault password to decrypt it anyway.

Hide quoted text
> If so there is no trust boundary violation, so this is not a security
> vulnerability, so no CVE/etc. It could be seen potentially as something
> to harden, but that would be at your discretion essentially (and in this
> case it appears to not even be something that should be hardened as it
> already has been via no_log essentially).
> 
> If confirmed I'll close it out on my side.


Thanks!

Bill
Comment 5 Borja Tarraso 2019-09-10 11:47:55 UTC 
*** Bug 1743217 has been marked as a duplicate of this bug. ***