Bug 1764148 (CVE-2019-14864)

Summary: CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs
Product: [Other] Security Response Reporter: Borja Tarraso <btarraso>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: a.badger, dajohnso, dbecker, dmetzger, gblomqui, gmainwar, gmccullo, gtanzill, hvyas, jcammara, jfrey, jhardy, jjoyce, jlaska, jprause, jschluet, jtanner, kbasil, kdixon, kevin, lhh, lpeer, mattdavi, maxim, mburns, obarenbo, puebele, rhos-maint, roliveri, sclewis, security-response-team, simaishi, sisharma, slinaber, tkuratom, tvignaud, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ansible-engine 2.9.1, ansible-engine 2.8.7, ansible-engine 2.7.15 Doc Type: If docs needed, set a value
Doc Text:
A data disclosure flaw was found in Ansible when using the Splunk and Sumologic modules, as they are not respecting when the flag no_log is enabled. This flaw can disclose and collect sensitive data from the system and expose it to an attacker.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-20 18:51:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1764188, 1764190, 1764191, 1769192, 1773470, 1774003, 1774004, 1774005, 1774007    
Bug Blocks: 1764140    

Description Borja Tarraso 2019-10-22 11:19:50 UTC 
Ansible is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.
Comment 5 Summer Long 2019-10-22 22:47:46 UTC 
Upstream issue: https://github.com/ansible/ansible/issues/63522
Upstream fix: https://github.com/ansible/ansible/pull/63527
Comment 6 Borja Tarraso 2019-10-23 06:30:15 UTC 
Acknowledgments:

Name: Abhijeet Kasurde (Red Hat), Patrick O’Brien (The Trade Desk Inc)
Comment 13 Borja Tarraso 2019-11-19 12:24:37 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-6 [bug 1774003]
Affects: epel-7 [bug 1774004]
Affects: fedora-all [bug 1774005]
Affects: openstack-rdo [bug 1774007]
Comment 14 errata-xmlrpc 2019-11-20 14:50:04 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.7 for RHEL 7

Via RHSA-2019:3925 https://access.redhat.com/errata/RHSA-2019:3925
Comment 15 errata-xmlrpc 2019-11-20 14:51:59 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2019:3928 https://access.redhat.com/errata/RHSA-2019:3928
Comment 16 errata-xmlrpc 2019-11-20 14:54:43 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 7
  Red Hat Ansible Engine 2.9 for RHEL 8

Via RHSA-2019:3927 https://access.redhat.com/errata/RHSA-2019:3927
Comment 17 errata-xmlrpc 2019-11-20 14:55:11 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.8 for RHEL 7
  Red Hat Ansible Engine 2.8 for RHEL 8

Via RHSA-2019:3926 https://access.redhat.com/errata/RHSA-2019:3926
Comment 18 Product Security DevOps Team 2019-11-20 18:51:41 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14864
Comment 19 Cedric Buissart 2020-01-16 09:43:25 UTC 
Statement:

* The exploitation of this flaw depends on the use of either Sumo Logic or Splunk callback plugins. However, because Red Hat OpenStack Platform (RHOSP) does not use Sumo Logic or Splunk, Red Hat will not be providing a fix for RHOSP Ansible at this time.
* Red Hat Gluster Storage no more maintains its own version of Ansible, pre-requisite is to enable ansible repository. The fix will be consumed from core Ansible.
* Ansible Tower’s Splunk logging integration uses the Splunk HTTP Collector and Ansible Engine.
* The exploitation of this flaw depends on the use of either Sumo Logic or Splunk callback plugins. However, because Red Hat Satellite 6.4 and 6.5 do not use Sumo Logic or Splunk, Red Hat will not be providing a fix for Satellite 6.4 and 6.5 and Ansible at this time. Users may upgrade to Satellite 6.6 or later which includes the resolution to this bug if desired.
Comment 24 Yadnyawalk Tale 2020-04-22 10:24:31 UTC 
Red Hat CloudForms 5.10 (4.7) and 5.11 (5.0) do not ship `ansible` package, it is provided by the official Ansible repository.