Bug 1588855 (CVE-2018-10855)

Summary: CVE-2018-10855 ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: a.badger, abhgupta, ahardin, aos-bugs, apevec, athmanem, bcoca, bcourt, bkearney, bleanhar, bmcclain, btotty, carnil, ccoleman, chrisw, cpelland, cshereme, dajohnso, dbaker, dblechte, dedgar, dms, dominik.mierzejewski, dylan, edube, eedri, gblomqui, gmccullo, gtanzill, hhudgeon, jcammara, jfrey, jgoulding, jhardy, jjoyce, jmatthew, jokerman, jprause, jschluet, jtanner, jupierce, kbasil, kevin, lhh, lpeer, markmc, maxim, mburns, mchappel, mclay, mgoldboi, michal.skrivanek, mmccomas, mmccune, mrike, obarenbo, ohadlevy, pcahyna, rbryant, rchan, rhos-maint, roliveri, sbonazzo, sclewis, security-response-team, sfowler, sherold, simaishi, sisharma, slinaber, smallamp, smunilla, ssaha, sthangav, tbielawa, tcarlin, tdecacqu, tkuratom, tobias.henkel, trankin, tsanders, tvignaud, vbellur, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20180611,reported=20180608,source=customer,cvss3=5.9/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N,cwe=CWE-532,fedora-all/ansible=affected,epel-all/ansible=affected,rhn_satellite_6/ansible=affected,rhev-m-4/ansible=affected,rhes-3/ansible=affected,cfme-5/ansible=affected,openshift-enterprise-3/ansible=notaffected,openshift-online-3/ansible=notaffected,openstack-10/ansible=affected,openstack-12/ansible=affected,openstack-13/ansible=affected,qci-1/ansible=affected,ansible_engine-2/ansible=new,ceph-2/ansible=affected,ceph-3/ansible=affected
Fixed In Version: Ansible 2.4.5, Ansible 2.5.5 Doc Type: If docs needed, set a value
Doc Text:
Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:28:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1589301, 1589298, 1589299, 1589303, 1589304, 1590199, 1590200, 1590503, 1590504, 1590505, 1590642, 1590643, 1590644, 1590664, 1590675, 1590676, 1590677    
Bug Blocks: 1588859    

Description Sam Fowler 2018-06-08 00:14:19 UTC
Ansible through version 2.5 does not properly honour the no_log option with failed task iterations. When a list of secret items is supplied to a task and a task iteration fails, secrets can be disclosed in logs despite the no_log option being enabled.

Comment 4 Toshio Kuratomi 2018-06-08 16:03:17 UTC
We have a fix for this issue upstream

Comment 7 Sam Fowler 2018-06-11 03:05:21 UTC
Acknowledgments:

Name: Tobias Henkel (BMW Car IT GmbH)

Comment 8 Toshio Kuratomi 2018-06-11 21:02:35 UTC
After talking to btarasso, we have pushed out a PR to address this: https://github.com/ansible/ansible/pull/41414  Will be merging that and backporting to stbale-2.4 stable-2.5 and stable-2.6 branches.  Releases or release candidates with the fix applied will then be released from those branches.

Comment 9 Borja Tarraso 2018-06-12 08:06:43 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1590199]
Affects: fedora-all [bug 1590200]

Comment 10 Toshio Kuratomi 2018-06-12 15:04:50 UTC
I talked to bcoca about the upstream changelog entry for this today and he let me know that iteration is not necessary to provoke this bug.  It is provoked by some (but not all) exceptions raised by a connection plugin.  This will be the text of our changelog entry:

"Some connection exceptions would cause no_log specified on a task to be ignored.  If this happened, the task information, including any private information could have been displayed to stdout and (if enabled, not the default) logged to a log file specified in ansible.cfg's log_path.  Additionally, sites which redirected stdout from ansible runs to a log file may have stored that private information onto disk that way as well"

Comment 20 errata-xmlrpc 2018-06-19 19:26:41 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2018:1948 https://access.redhat.com/errata/RHSA-2018:1948

Comment 21 errata-xmlrpc 2018-06-19 19:27:03 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.5 for RHEL 7

Via RHSA-2018:1949 https://access.redhat.com/errata/RHSA-2018:1949

Comment 22 errata-xmlrpc 2018-06-19 19:27:35 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.5 for RHEL 7

Via RHSA-2018:1949 https://access.redhat.com/errata/RHSA-2018:1949

Comment 24 Doran Moppert 2018-06-26 05:00:48 UTC
External References:

https://github.com/ansible/ansible/pull/41414

Comment 25 errata-xmlrpc 2018-06-26 17:12:14 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.4 for RHEL 7

Via RHSA-2018:2022 https://access.redhat.com/errata/RHSA-2018:2022

Comment 26 errata-xmlrpc 2018-06-27 10:04:01 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2018:2079 https://access.redhat.com/errata/RHSA-2018:2079

Comment 27 errata-xmlrpc 2018-07-12 13:14:13 UTC
This issue has been addressed in the following products:

  CloudForms Management Engine 5.9

Via RHSA-2018:2184 https://access.redhat.com/errata/RHSA-2018:2184

Comment 33 errata-xmlrpc 2018-08-29 16:05:01 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2018:2585 https://access.redhat.com/errata/RHSA-2018:2585

Comment 34 errata-xmlrpc 2019-01-16 17:10:01 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:0054 https://access.redhat.com/errata/RHSA-2019:0054