Bug 1760593 (CVE-2019-14858)
Summary: | CVE-2019-14858 ansible: sub parameters marked as no_log are not masked in certain failure scenarios | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Borja Tarraso <btarraso> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | a.badger, amctagga, anharris, bniver, carnil, dajohnso, dbecker, dmetzger, dominik.mierzejewski, flucifre, gblomqui, gmainwar, gmccullo, gmeno, gtanzill, hvyas, jcammara, jfrey, jhardy, jjoyce, jlaska, jprause, jschluet, jtanner, kbasil, kdixon, kevin, lhh, lpeer, maxim, mbenjamin, mburns, mhackett, obarenbo, puebele, rhos-maint, roliveri, sclewis, security-response-team, simaishi, sisharma, slinaber, tkuratom, tvignaud, vbellur, vereddy |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ansible-engine 2.6.20, ansible-engine 2.7.14, ansible-engine 2.8.6 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in ansible. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-10-25 00:51:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1760594, 1760595, 1760596, 1760597, 1760598, 1760599, 1760600, 1766391, 1766392, 1766393, 1766409, 1769190 | ||
Bug Blocks: | 1760566 |
Description
Borja Tarraso
2019-10-10 21:45:05 UTC
Acknowledgments: Name: Sam Doran (Red Hat) Do you have an upstream reference on this issue? Upstream fix is: https://github.com/ansible/ansible/pull/63405 Note that the code has changed quite a bit here so some of the backprots will be very different looking. This issue has been addressed in the following products: Red Hat Ansible Engine 2.7 for RHEL 7 Via RHSA-2019:3202 https://access.redhat.com/errata/RHSA-2019:3202 This issue has been addressed in the following products: Red Hat Ansible Engine 2.6 for RHEL 7 Via RHSA-2019:3201 https://access.redhat.com/errata/RHSA-2019:3201 This issue has been addressed in the following products: Red Hat Ansible Engine 2.8 for RHEL 7 Red Hat Ansible Engine 2.8 for RHEL 8 Via RHSA-2019:3203 https://access.redhat.com/errata/RHSA-2019:3203 This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 7 Red Hat Ansible Engine 2 for RHEL 8 Via RHSA-2019:3207 https://access.redhat.com/errata/RHSA-2019:3207 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14858 Created ansible tracking bugs for this issue: Affects: openstack-rdo [bug 1766409] This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS Via RHSA-2020:0756 https://access.redhat.com/errata/RHSA-2020:0756 Statement: Fixes for Red Hat OpenStack Platform (RHOSP) have been set to 'Moderate' because flaw exploitation requires running Ansible with increased verbosity which is not the RHOSP deployment default. Red Hat Gluster Storage no longer maintains its own version of Ansible. The fix will be provided from core Ansible. Red Hat CloudForms 5.10 (4.7) and 5.11 (5.0) do not ship `ansible` package, it is provided by the official Ansible repository. |