Bug 1805491 (CVE-2020-1746)

Summary: CVE-2020-1746 ansible: Information disclosure issue in ldap_attr and ldap_entry modules
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: a.badger, dbecker, dmetzger, gblomqui, gmainwar, gmccullo, gtanzill, hvyas, jcammara, jfrey, jhardy, jjoyce, jlaska, jschluet, jtanner, kbasil, kdixon, kevin, lhh, lpeer, maxim, mburns, obarenbo, puebele, rhos-maint, roliveri, sclewis, security-response-team, simaishi, sisharma, slinaber, smallamp, tkuratom, tvignaud, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ansible-engine 2.7.17, ansible-engine 2.8.11, ansible-engine 2.9.7 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Ansible Engine when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-22 16:32:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1808470, 1808471, 1808472, 1808474, 1808475, 1808476, 1808477, 1808478, 1808479, 1808480, 1808481, 1809393, 1810200, 1818699    
Bug Blocks: 1805492    

Description Pedro Sampaio 2020-02-20 21:34:18 UTC 
A flaw was found in ldap_attr and ldap_entry community modules for Ansbile. This issue discloses the LDAP bind password to stdout or a log file if
a playbook task is written using the bind_pw in the parameters field since nothing in the params field is evaluated for sensitive data.
Comment 2 Borja Tarraso 2020-02-28 15:34:46 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1808472]
Affects: fedora-all [bug 1808471]
Affects: openstack-rdo [bug 1808470]
Comment 6 Toshio Kuratomi 2020-02-28 17:44:52 UTC 
Upstream fix: https://github.com/ansible/ansible/pull/67866
Comment 7 Toshio Kuratomi 2020-02-28 17:47:35 UTC 
A workaround was posted by felixfontein.  Playbooks can be rewritten like this:

 # Set the following variable somewhere:
 # ldap_auth:
 #   server_uri: ldap://localhost/
 #   bind_dn: cn=admin,dc=example,dc=com
 #   bind_pw: password
 #
 # In the example below, 'args' is a task keyword, passed at the same level as the module
 - name: Get rid of an unneeded attribute
   ldap_attr:
     dn: uid=jdoe,ou=people,dc=example,dc=com
     name: shadowExpire
     values: []
     state: exact
   args: "{{ ldap_auth }}"
Comment 10 Borja Tarraso 2020-03-04 16:09:23 UTC 
Mitigation:

Using args keyword and embedding the ldap_auth variable instead of using bind_pw parameter would mitigate this issue.
Comment 13 Borja Tarraso 2020-03-27 07:32:44 UTC 
Acknowledgments:

Name: Felix Fountein
Comment 16 errata-xmlrpc 2020-04-22 14:09:19 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 7
  Red Hat Ansible Engine 2.9 for RHEL 8

Via RHSA-2020:1541 https://access.redhat.com/errata/RHSA-2020:1541
Comment 17 errata-xmlrpc 2020-04-22 14:09:42 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2020:1542 https://access.redhat.com/errata/RHSA-2020:1542
Comment 18 errata-xmlrpc 2020-04-22 14:10:01 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.8 for RHEL 7
  Red Hat Ansible Engine 2.8 for RHEL 8

Via RHSA-2020:1543 https://access.redhat.com/errata/RHSA-2020:1543
Comment 19 errata-xmlrpc 2020-04-22 14:10:19 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.7 for RHEL 7

Via RHSA-2020:1544 https://access.redhat.com/errata/RHSA-2020:1544
Comment 20 Product Security DevOps Team 2020-04-22 16:32:09 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1746
Comment 21 Summer Long 2021-01-18 01:19:57 UTC 
Statement:

* Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.

* Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.

* Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains their own version of Ansible. The fix will be provided from core Ansible. But we still ship ansible separately for ceph ubuntu.

* In Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.