Bug 1760829 (CVE-2019-14856)
| Summary: | CVE-2019-14856 ansible: Incomplete fix for CVE-2019-10206 | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | a.badger, carnil, dajohnso, dbecker, dmetzger, gblomqui, gmccullo, gtanzill, hvyas, jcammara, jfrey, jhardy, jjoyce, jprause, jschluet, jtanner, kbasil, kdixon, kevin, lhh, lpeer, maxim, mburns, obarenbo, puebele, rhos-maint, roliveri, sclewis, simaishi, sisharma, slinaber, tkuratom, tvignaud, vbellur |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ansible-engine 2.8.6, ansible-engine 2.7.14, ansible-engine 2.6.20 | Doc Type: | If docs needed, set a value |
| Doc Text: |
The fix for CVE-2019-10206 was found to be incomplete for the data disclosure flaw in ansible. Password prompts in ansible-playbook and ansible-cli tools could expose passwords with special characters as they are not properly wrapped. A password with special characters is exposed starting with the first of these special characters. The highest threat from this vulnerability is to data confidentiality.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-10-25 00:51:24 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1760839, 1760840, 1760841, 1760842, 1763738, 1775632, 1775633, 1775634, 1775635, 1779889, 1779890 | ||
| Bug Blocks: | 1760830 | ||
|
Description
Pedro Sampaio
2019-10-11 12:33:55 UTC
For reference this is https://github.com/ansible/ansible/pull/63351 upstream. Also note, the backports will be smaller. The fix in devel makes two changes which are independently sufficient to fix the problem. The backport will only include one of them. Vulnerable code from CVE-2019-10206 was included in the version of Ansible shipped with Ceph and Gluster. Gluster uses Ansible package from Ansible repository and hence it will consume fixes from core Ansible. For Ceph-3 we still maintain Ansible atleast for Ubuntu, Ceph-2 is about to reach end of life in December 2019. This issue has been addressed in the following products: Red Hat Ansible Engine 2.7 for RHEL 7 Via RHSA-2019:3202 https://access.redhat.com/errata/RHSA-2019:3202 This issue has been addressed in the following products: Red Hat Ansible Engine 2.6 for RHEL 7 Via RHSA-2019:3201 https://access.redhat.com/errata/RHSA-2019:3201 This issue has been addressed in the following products: Red Hat Ansible Engine 2.8 for RHEL 7 Red Hat Ansible Engine 2.8 for RHEL 8 Via RHSA-2019:3203 https://access.redhat.com/errata/RHSA-2019:3203 This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 7 Red Hat Ansible Engine 2 for RHEL 8 Via RHSA-2019:3207 https://access.redhat.com/errata/RHSA-2019:3207 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14856 Created ansible tracking bugs for this issue: Affects: epel-6 [bug 1775632] Affects: epel-7 [bug 1775633] Affects: fedora-all [bug 1775634] Affects: openstack-rdo [bug 1775635] RHOSP fixes will be consumed from platforms. This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS Via RHSA-2020:0756 https://access.redhat.com/errata/RHSA-2020:0756 Red Hat CloudForms 5.10 (4.7) and 5.11 (5.0) do not ship `ansible` package, it is provided by the official Ansible repository. |