Bug 1733509 (CVE-2019-10217)

Summary: CVE-2019-10217 Ansible: gcp modules do not flag sensitive data fields properly
Product: [Other] Security Response Reporter: Borja Tarraso <btarraso>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akasurde, bcoca, dbecker, hvyas, jcammara, jjoyce, jschluet, jtanner, kbasil, lhh, lpeer, mburns, msiddiqu, rhos-maint, sclewis, security-response-team, sisharma, slinaber, tkuratom, tvignaud
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ansible-engine 2.8.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the gcp module of ansible. Certain fields managing sensitive data should be marked by the no_log feature. The service_account_contents(), which is common class for all gcp modules, is not being set as no_log to True. Any sensitive data managed by that function would be leaked as an output when running ansible playbooks. Data confidentiality is the highest threat with this vulnerability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-21 20:47:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1733510, 1743501    
Bug Blocks: 1732560    

Description Borja Tarraso 2019-07-26 10:22:34 UTC 
Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks.
Comment 1 Borja Tarraso 2019-07-26 10:22:36 UTC 
Acknowledgments:

Name: Abhijeet Kasurde (Red Hat)
Comment 3 Brian Coca 2019-07-26 13:08:29 UTC 
related:

https://github.com/ansible/ansible/issues/56269
https://github.com/ansible/ansible/pull/59427
Comment 4 Brian Coca 2019-08-01 14:41:08 UTC 
https://github.com/ansible/ansible-stage/pull/7
Comment 7 errata-xmlrpc 2019-08-21 18:03:54 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2019:2543 https://access.redhat.com/errata/RHSA-2019:2543
Comment 8 errata-xmlrpc 2019-08-21 18:06:28 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.8 for RHEL 7
  Red Hat Ansible Engine 2.8 for RHEL 8

Via RHSA-2019:2542 https://access.redhat.com/errata/RHSA-2019:2542
Comment 9 Product Security DevOps Team 2019-08-21 20:47:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10217
Comment 16 Eric Christensen 2020-03-05 16:40:59 UTC 
Statement:

Ansible shipped with Red Hat Ceph Storage 3; Red Hat OpenStack 10, 13, and 14; and Ansible Engine 2.6 and 2.7 are not vulnerable as they do not include the cred_type implementation (service_account_contents).