Bug 1755373 (CVE-2019-14846)
| Summary: | CVE-2019-14846 ansible: secrets disclosed on logs when no_log enabled | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Borja Tarraso <btarraso> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | a.badger, adudiak, akarol, amctagga, aoconnor, bniver, carnil, dajohnso, dbecker, dmetzger, dylan, eglynn, ehelms, flucifre, gblomqui, ggainey, gmainwar, gmccullo, gmeno, gtanzill, hvyas, jcammara, jfrey, jhardy, jjoyce, jlaska, jobarker, jprause, jschluet, jtanner, juwatts, kbasil, kdixon, kevin, lhh, lpeer, lsvaty, mabashia, maxim, mbenjamin, mburns, mgarciac, mhackett, mhulan, nmoumoul, obarenbo, pcreech, pgrist, puebele, rchan, relrod, rhos-maint, roliveri, sclewis, sdoran, security-response-team, simaishi, sisharma, slinaber, smallamp, smcdonal, sostapov, teagle, tkuratom, tvignaud, vbellur, vereddy |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ansible-engine 2.8.6, ansible-engine 2.7.14, ansible-engine 2.6.20 | Doc Type: | If docs needed, set a value |
| Doc Text: |
Ansible was logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-10-25 00:51:12 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1755513, 1755514, 1755515, 1755516, 1755795, 1755796, 1755797, 1766399, 1766400, 1766401, 1769188 | ||
| Bug Blocks: | 1755369 | ||
|
Description
Borja Tarraso
2019-09-25 11:33:47 UTC
Acknowledgments: Name: Paul Milbank (Pushpay Site Reliability Engineering), Harvey Rendell (Pushpay Site Reliability Engineering), Tom Henderson (Pushpay Site Reliability Engineering) Hi Is there any related upstream issue related to this issue or further information? The dependent issues are currently not accessible and we would like to determine which ansible versions in Debian are affected by this CVE. Regards, Salvatore It almost certainly does. Here's the upstream fix: https://github.com/ansible/ansible/pull/63366 This issue has been addressed in the following products: Red Hat Ansible Engine 2.7 for RHEL 7 Via RHSA-2019:3202 https://access.redhat.com/errata/RHSA-2019:3202 This issue has been addressed in the following products: Red Hat Ansible Engine 2.6 for RHEL 7 Via RHSA-2019:3201 https://access.redhat.com/errata/RHSA-2019:3201 This issue has been addressed in the following products: Red Hat Ansible Engine 2.8 for RHEL 7 Red Hat Ansible Engine 2.8 for RHEL 8 Via RHSA-2019:3203 https://access.redhat.com/errata/RHSA-2019:3203 This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 7 Red Hat Ansible Engine 2 for RHEL 8 Via RHSA-2019:3207 https://access.redhat.com/errata/RHSA-2019:3207 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14846 Statement: Red Hat Gluster Storage no more maintains its own version of Ansible, pre-requisite is to enable ansible repository. The fix will be consumed from core Ansible. This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS Via RHSA-2020:0756 https://access.redhat.com/errata/RHSA-2020:0756 Red Hat CloudForms 5.10 (4.7) and 5.11 (5.0) do not ship `ansible` package, it is provided by the official Ansible repository. |