Bug 1802085 (CVE-2020-1735)
| Summary: | CVE-2020-1735 ansible: path injection on dest parameter in fetch module | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Borja Tarraso <btarraso> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | a.badger, amctagga, amoralej, anharris, bniver, carnil, dbecker, dmetzger, flucifre, gblomqui, gmainwar, gmccullo, gmeno, gtanzill, hvyas, jcammara, jfrey, jhardy, jjoyce, jlaska, jschluet, jtanner, kbasil, kdixon, kevin, lhh, lpeer, maxim, mbenjamin, mburns, mhackett, obarenbo, puebele, rhos-maint, roliveri, sclewis, security-response-team, simaishi, sisharma, slinaber, slong, smallamp, tkuratom, tvignaud, vbellur, vereddy |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ansible-engine 2.7.17, ansible-engine 2.8.11, ansible-engine 2.9.7 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-22 16:31:53 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1804365, 1804366, 1804367, 1804368, 1805333, 1805336, 1805358, 1805359, 1805360, 1805361, 1805494, 1807429, 1807875, 1814767 | ||
| Bug Blocks: | 1801714 | ||
|
Description
Borja Tarraso
2020-02-12 10:42:10 UTC
Acknowledgments: Name: Damien Aumaitre (Quarkslab), Nicolas Surbayrole (Quarkslab) Borja, I'm sorry I know I'm bit repetitive for all the respective issues for ansible CVE-2020-1735 up to CVE-2020-1740. It would be nice to get an idea for other downstream which versions are affected or if upstream is aware of those and working on fixes or if there are upstream issues to be tracked. Any information on any of those? I have added NEEDINFO flags respectively for reach. Would it be possible to provide this further information? Created ansible tracking bugs for this issue: Affects: epel-all [bug 1805336] Affects: fedora-all [bug 1805333] Hey Salvatore, I am working to provide additional information regarding this issue; more details as you requested, affected versions as well as upstream links in case we already have. Prioritising this for now, I will get back to you asap. In reply to comment #4: > Borja, I'm sorry I know I'm bit repetitive for all the respective issues for > ansible CVE-2020-1735 up to CVE-2020-1740. It would be nice to get an idea > for other downstream which versions are affected or if upstream is aware of > those and working on fixes or if there are upstream issues to be tracked. > > Any information on any of those? I have added NEEDINFO flags respectively > for reach. Would it be possible to provide this further information? Red Hat CloudForms Management Engine 5.9 is in maintenance phase and we're no longer fixing "Medium" severity CVEs. Mitigation: Currently, there is no mitigation for this issue except avoid using the affected fetch module when possible. Upstream fix: https://github.com/ansible/ansible/issues/67793 Created ansible tracking bugs for this issue: Affects: openstack-rdo [bug 1807875] Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains its own version of Ansible. The fix will be provided from core Ansible. But we still ship ansible separately for ceph ubuntu. This issue has been addressed in the following products: Red Hat Ansible Engine 2.9 for RHEL 7 Red Hat Ansible Engine 2.9 for RHEL 8 Via RHSA-2020:1541 https://access.redhat.com/errata/RHSA-2020:1541 This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 7 Red Hat Ansible Engine 2 for RHEL 8 Via RHSA-2020:1542 https://access.redhat.com/errata/RHSA-2020:1542 This issue has been addressed in the following products: Red Hat Ansible Engine 2.8 for RHEL 7 Red Hat Ansible Engine 2.8 for RHEL 8 Via RHSA-2020:1543 https://access.redhat.com/errata/RHSA-2020:1543 This issue has been addressed in the following products: Red Hat Ansible Engine 2.7 for RHEL 7 Via RHSA-2020:1544 https://access.redhat.com/errata/RHSA-2020:1544 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1735 CloudForms 5.11 do not use ansible-tower and 5.10 only using ansible-tower-venv-ansible atm. Statement: Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected. Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected. In Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package. |