Bug 1440912 (CVE-2017-7473)

Summary: CVE-2017-7473 ansible: Potential information disclosure via no_log directive
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, bleanhar, btarraso, carnil, ccoleman, chrisw, cvsbot-xmlrpc, dedgar, dmcphers, gmollett, jgoulding, jjoyce, jkeck, jschluet, kbasil, lhh, lpeer, markmc, rbryant, rcyriac, rhos-maint, sclewis, security-response-team, sisharma, slinaber, slong, tdawson, tdecacqu, tvignaud, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Ansible versions 2.2.3 and earlier are vulnerable to an information disclosure flaw due to the interaction of call back plugins and the no_log directive (information may not be sanitized properly).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-21 01:13:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1441405, 1441406, 1441407, 1441408, 1446536    
Bug Blocks: 1440915    

Description Adam Mariš 2017-04-10 18:00:35 UTC 
It was found that ansible does not sanitize task content before sending it to the callback plugins when using no_log directive.
Comment 1 Adam Mariš 2017-04-10 18:00:52 UTC 
Acknowledgments:

Name: David Moreau Simard (Red Hat)
Comment 3 Kurt Seifried 2017-04-11 21:23:16 UTC 
Created ansible1.9 tracking bugs for this issue:

Affects: fedora-all [bug 1441406]
Affects: epel-all [bug 1441408]
Comment 4 Kurt Seifried 2017-04-11 21:23:34 UTC 
Created ansible tracking bugs for this issue:

Affects: fedora-all [bug 1441405]
Affects: epel-all [bug 1441407]
Comment 22 Toshio Kuratomi 2017-10-30 20:44:32 UTC 
A few of us working on Ansible upstream talked about this with btarraso last week.  We decided this is not a bug in Ansible but in any callback plugins which are not sanitizing information which they output.

* Callback plugins could legitimately be using that information so we have to pass it on to them.
* Ansible runs the callback plugins in-process so there's no way to protect against malicious callback plugins getting access to that information a different way and then using it.  Even if we ran them out of process, they would still run as the user invoking ansible so there are still a variety of ways a malicious plugin could make changes that would eventually yield that information.  You have to trust your plugins.

Note that the changelog entry noted above "* modules and callbacks have been extended to support no_log to avoid data disclosure" is not about this issue.  we have two features which use the no_log keyword.  One is task-level no_log which says not to log any of the information about a task (other than it ran successfully or not) is what this bug seems to be raised on.  The other is module arguments which are marked as no_log in the module's code which is what the changelog entry is about.
Comment 31 Doran Moppert 2020-02-21 01:13:22 UTC 
Statement:

Ansible Security Team and Red Hat Product Security determined that this is not a vulnerability.