Bug 1649607 (CVE-2018-16859)
Summary: | CVE-2018-16859 ansible: become password logged in plaintext when used with PowerShell on Windows | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | a.badger, abhgupta, ahardin, aos-bugs, apevec, athmanem, bbuckingham, bcourt, bkearney, bleanhar, bmcclain, ccoleman, chrisw, dajohnso, dbaker, dbecker, dblechte, dedgar, dfediuck, dmetzger, dominik.mierzejewski, eedri, eparis, gblomqui, gmccullo, gtanzill, jcammara, jfrey, jgoulding, jhardy, jjoyce, jokerman, jpadman, jprause, jschluet, jtanner, kbasil, kdixon, kevin, lhh, lpeer, markmc, maxim, mburns, mchappel, mgoldboi, michal.skrivanek, mmccomas, mmccune, mrike, obarenbo, ohadlevy, rchan, rhos-maint, rjerrido, roliveri, sbonazzo, sclewis, security-response-team, sherold, simaishi, sisharma, slinaber, smunilla, sparks, ssaha, sthangav, tbielawa, tdecacqu, tkuratom, trankin, tvignaud, vbellur |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ansible-engine 2.5.13, ansible-engine 2.6.10, ansible-engine 2.7.4 | Doc Type: | If docs needed, set a value |
Doc Text: |
Execution of Ansible content on Microsoft's Windows platform with Powershell 5 or higher may disclose sensitive execution details including 'become' passwords, Ansible module arguments, and return values via Powershell's 'suspicious scriptblock logging' feature, which is enabled by default. The details are logged to the Powershell Operational log, which is visible to all authenticated users by default.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:42:38 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1649824, 1652768, 1652769, 1652770, 1652771, 1652772, 1652773, 1652774, 1652775, 1652802, 1652803, 1655758, 1655759, 1655760 | ||
Bug Blocks: | 1647641 |
Description
Sam Fowler
2018-11-14 03:52:17 UTC
Acknowledgments: Name: Igor Turovsky OpenShift Enterprise version 3.8 and later use Ansible from the Ansible repository. Notifications and fixes will come from this. This issue affects the versions of ansible as shipped with OpenStack. However, this flaw is not known to be exploitable under any supported scenario in OpenStack as it specifically affects Microsoft Windows systems. External References: https://github.com/ansible/ansible/pull/49142 Previous description of this flaw was inaccurate. Disregard it and consider the following one: Execution of Ansible content on Windows platforms with Powershell 5 or higher may disclose sensitive execution details (including 'become' passwords, Ansible module arguments, and return values) via Powershell's "suspicious scriptblock logging" feature, which is enabled by default. The details are logged to the Powershell Operational log, which is visible to all authenticated users by default. Ansible Engine 2.7 and older are believed to be vulnerable. This description should set on the doctext in order to update and correct the CVE description at mitre. Eric, could you review that? In reply to comment #12: > This description should set on the doctext in order to update and correct > the CVE description at mitre. Eric, could you review that? Updated. This issue has been addressed in the following products: Red Hat Ansible Engine 2.5 for RHEL 7 Via RHSA-2018:3770 https://access.redhat.com/errata/RHSA-2018:3770 This issue has been addressed in the following products: Red Hat Ansible Engine 2.7 for RHEL 7 Via RHSA-2018:3773 https://access.redhat.com/errata/RHSA-2018:3773 This issue has been addressed in the following products: Red Hat Ansible Engine 2.6 for RHEL 7 Via RHSA-2018:3771 https://access.redhat.com/errata/RHSA-2018:3771 This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 7 Via RHSA-2018:3772 https://access.redhat.com/errata/RHSA-2018:3772 This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 7 Via RHSA-2018:3772 https://access.redhat.com/errata/RHSA-2018:3772 Statement: CloudForms and Satellite 6 are not affected by this issue, since Microsoft Windows is not a supported platform. |