Bug 1773622 (CVE-2019-14890)

Summary: CVE-2019-14890 Tower: RHSM username and password exposed after license application
Product: [Other] Security Response Reporter: Borja Tarraso <btarraso>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dmetzger, gblomqui, gmainwar, gmccullo, gtanzill, jfrey, jhardy, jlaska, kdixon, obarenbo, roliveri, security-response-team, simaishi, smallamp
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ansible_tower 3.6.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Ansible Tower where the RHSM credentials are saved in plain text in the database that is available at '/api/v2/config' after applying the Ansible Tower license. Attackers with this information could log into RHSM and modify licenses and make other changes.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-25 14:59:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1775627, 1775628, 1775629    
Bug Blocks: 1773623    

Description Borja Tarraso 2019-11-18 15:04:21 UTC 
After submitting a new license using the new RHSM on Ansible Tower 3.6.0, licensed data such as username and password are exposed at '/api/v2/config/'. These credentials are saved into the database as plaintext.
Comment 1 Borja Tarraso 2019-11-18 15:04:24 UTC 
Acknowledgments:

Name: Victor da Costa (Red Hat)
Comment 4 Borja Tarraso 2019-11-25 13:01:57 UTC 
Mitigation:

There is no mitigation for this issue since this issue happens when Red Hat license is applied.
Comment 7 errata-xmlrpc 2019-11-25 14:21:50 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Tower 3.6 for RHEL 7

Via RHSA-2019:3958 https://access.redhat.com/errata/RHSA-2019:3958
Comment 8 Eric Christensen 2019-11-26 21:16:55 UTC 
Statement:

Ansible Tower 3.6.0 is affected, but Ansible Tower 3.5, 3.4, and 3.3 are not vulnerable as they do not include the new RHSM.

CloudForms 5.9 and 5.10 are not vulnerable as they do not use Ansible Tower 3.6.0.