Bug 1657330 (CVE-2018-16876)

Summary: CVE-2018-16876 ansible: Information disclosure in vvv+ mode with no_log on
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: a.badger, abhgupta, ahardin, aos-bugs, athmanem, bbuckingham, bcourt, bkearney, bleanhar, ccoleman, dajohnso, dbaker, dbecker, dclarizi, dedgar, dmetzger, dominik.mierzejewski, eparis, gblomqui, gmainwar, gmccullo, gtanzill, jcammara, jfrey, jgoulding, jhardy, jjoyce, jlaska, jokerman, jprause, jschluet, jtanner, kbasil, kdixon, kevin, lhh, lpeer, maxim, mburns, mchappel, mmccomas, mmccune, mrike, obarenbo, ohadlevy, rchan, rhos-maint, rjerrido, roliveri, sclewis, security-response-team, simaishi, sisharma, slinaber, smunilla, ssaha, sthangav, tbielawa, tkuratom, trankin, tvignaud, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ansible-engine 2.5.14, ansible-engine 2.6.11, ansible-engine 2.7.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:43:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1657389, 1657390, 1657639, 1657641, 1657642, 1657643, 1658594, 1658597, 1661067, 1661068, 1661069, 1677729    
Bug Blocks: 1657323    

Description Andrej Nemec 2018-12-07 16:33:06 UTC 
It was found that when a retry task in ansible run with -vvv fails, it will log the raw return code, stdout and stderr from ssh which could have contained sensitive data.

Upstream patch:

https://github.com/ansible/ansible/pull/49569/commits/4c6d714aefb05366cb329e139214c89ebb364899
Comment 1 Laura Pardo 2018-12-07 21:17:00 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1657390]
Affects: fedora-all [bug 1657389]
Comment 3 Borja Tarraso 2018-12-07 21:54:35 UTC 
External References:

https://github.com/ansible/ansible/pull/49569
Comment 11 errata-xmlrpc 2018-12-18 12:00:44 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.6 for RHEL 7

Via RHSA-2018:3836 https://access.redhat.com/errata/RHSA-2018:3836
Comment 12 errata-xmlrpc 2018-12-18 12:01:07 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.5 for RHEL 7

Via RHSA-2018:3835 https://access.redhat.com/errata/RHSA-2018:3835
Comment 13 errata-xmlrpc 2018-12-18 12:02:55 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2018:3838 https://access.redhat.com/errata/RHSA-2018:3838
Comment 14 errata-xmlrpc 2018-12-18 12:03:08 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.7 for RHEL 7

Via RHSA-2018:3837 https://access.redhat.com/errata/RHSA-2018:3837
Comment 18 errata-xmlrpc 2019-03-14 13:34:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2019:0564 https://access.redhat.com/errata/RHSA-2019:0564
Comment 19 errata-xmlrpc 2019-03-18 12:56:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 14.0 (Rocky)

Via RHSA-2019:0590 https://access.redhat.com/errata/RHSA-2019:0590