Bug 1760593 (CVE-2019-14858)

Summary: CVE-2019-14858 ansible: sub parameters marked as no_log are not masked in certain failure scenarios
Product: [Other] Security Response Reporter: Borja Tarraso <btarraso>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: a.badger, carnil, dajohnso, dbecker, dmetzger, dominik.mierzejewski, gblomqui, gmainwar, gmccullo, gtanzill, hvyas, jcammara, jfrey, jhardy, jjoyce, jlaska, jprause, jschluet, jtanner, kbasil, kdixon, kevin, lhh, lpeer, maxim, mburns, obarenbo, puebele, rhos-maint, roliveri, sclewis, security-response-team, simaishi, sisharma, slinaber, tkuratom, tvignaud, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ansible-engine 2.6.20, ansible-engine 2.7.14, ansible-engine 2.8.6 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in ansible. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-25 00:51:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1769190, 1760594, 1760595, 1760596, 1760597, 1760598, 1760599, 1760600, 1766391, 1766392, 1766393, 1766409    
Bug Blocks: 1760566    

Description Borja Tarraso 2019-10-10 21:45:05 UTC
When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.

Comment 1 Borja Tarraso 2019-10-10 21:45:07 UTC
Acknowledgments:

Name: Sam Doran (Red Hat)

Comment 5 Salvatore Bonaccorso 2019-10-12 07:11:21 UTC
Do you have an upstream reference on this issue?

Comment 6 Toshio Kuratomi 2019-10-14 15:53:29 UTC
Upstream fix is: https://github.com/ansible/ansible/pull/63405

Note that the code has changed quite a bit here so some of the backprots will be very different looking.

Comment 8 errata-xmlrpc 2019-10-24 13:01:10 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.7 for RHEL 7

Via RHSA-2019:3202 https://access.redhat.com/errata/RHSA-2019:3202

Comment 9 errata-xmlrpc 2019-10-24 13:01:26 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.6 for RHEL 7

Via RHSA-2019:3201 https://access.redhat.com/errata/RHSA-2019:3201

Comment 10 errata-xmlrpc 2019-10-24 13:06:49 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.8 for RHEL 7
  Red Hat Ansible Engine 2.8 for RHEL 8

Via RHSA-2019:3203 https://access.redhat.com/errata/RHSA-2019:3203

Comment 11 errata-xmlrpc 2019-10-24 14:27:28 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2019:3207 https://access.redhat.com/errata/RHSA-2019:3207

Comment 12 Product Security DevOps Team 2019-10-25 00:51:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14858

Comment 16 Summer Long 2019-10-29 00:32:06 UTC
Created ansible tracking bugs for this issue:

Affects: openstack-rdo [bug 1766409]

Comment 22 errata-xmlrpc 2020-03-10 11:21:37 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)
  Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS

Via RHSA-2020:0756 https://access.redhat.com/errata/RHSA-2020:0756

Comment 23 Eric Christensen 2020-03-17 18:54:43 UTC
Statement:

Fixes for Red Hat OpenStack Platform (RHOSP) have been set to 'Moderate' because flaw exploitation requires running Ansible with increased verbosity which is not the RHOSP deployment default.

Red Hat Gluster Storage no longer maintains its own version of Ansible. The fix will be provided from core Ansible.

Comment 28 Yadnyawalk Tale 2020-04-22 10:22:36 UTC
Red Hat CloudForms 5.10 (4.7) and 5.11 (5.0) do not ship `ansible` package, it is provided by the official Ansible repository.