Bug 1802164 (CVE-2020-1738)
| Summary: | CVE-2020-1738 ansible: module package can be selected by the ansible facts | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Borja Tarraso <btarraso> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | a.badger, amctagga, amoralej, anharris, bniver, carnil, dbecker, dmetzger, flucifre, gblomqui, gmainwar, gmccullo, gmeno, gtanzill, hvyas, jcammara, jfrey, jhardy, jjoyce, jlaska, jschluet, jtanner, kbasil, kdixon, kevin, lhh, lpeer, maxim, mbenjamin, mburns, mhackett, obarenbo, puebele, rhos-maint, roliveri, sclewis, security-response-team, simaishi, sisharma, slinaber, slong, smallamp, tkuratom, tvignaud, vbellur, vereddy |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ansible-engine 2.9.7 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-05-27 13:36:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1804383, 1804384, 1804386, 1804387, 1805325, 1805326, 1805372, 1805373, 1805374, 1805375, 1805512, 1807878, 1808326, 1814778 | ||
| Bug Blocks: | 1801714 | ||
|
Description
Borja Tarraso
2020-02-12 13:54:01 UTC
Acknowledgments: Name: Damien Aumaitre (Quarkslab), Nicolas Surbayrole (Quarkslab) Borja, is there any upstream reference for this ansible issue? Created ansible tracking bugs for this issue: Affects: epel-all [bug 1805326] Affects: fedora-all [bug 1805325] Hey Salvatore, I am working to provide additional information regarding this issue; more details as you requested, affected versions as well as upstream links in case we already have. Prioritising this for now, I will get back to you asap. In reply to comment #4: > Borja, is there any upstream reference for this ansible issue? Red Hat CloudForms Management Engine 5.9 is in maintenance phase and we're no longer fixing "Low" severity CVEs. Upstream fix: https://github.com/ansible/ansible/issues/67796 Created ansible tracking bugs for this issue: Affects: openstack-rdo [bug 1807878] Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains its own version of Ansible. The fix will be provided from core Ansible. But we still ship ansible separately for ceph ubuntu. Mitigation: Specify the parameter 'use' when possible on the package and service modules. Avoid using Ansible Collections on Ansible 2.8.9 or 2.7.16 (and any of the previous versions) as they are not rejecting python with no path (already fixed in 2.9.x). CloudForms 5.11 do not use ansible-tower and 5.10 only using ansible-tower-venv-ansible atm. Statement: Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected. Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected. In Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package. |