Bug 1811008 (CVE-2020-1753)
| Summary: | CVE-2020-1753 Ansible: kubectl connection plugin leaks sensitive information | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Borja Tarraso <btarraso> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | a.badger, dbecker, gblomqui, gmainwar, hvyas, jcammara, jjoyce, jlaska, jschluet, jtanner, kbasil, kevin, lhh, lpeer, maxim, mburns, ntait, puebele, rhos-maint, sclewis, security-response-team, slinaber, tkuratom, tvignaud, vbellur |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ansible-engine 2.7.18, ansible-engine 2.8.11, ansible-engine 2.9.7 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A security flaw was found in the Ansible Engine when managing Kubernetes using the k8s connection plugin. Sensitive parameters such as passwords and tokens are passed to the kubectl command line instead of using environment variables or an input configuration file, which is safer. This flaw discloses passwords and tokens from the process list, and the no_log directive from the debug module would not be reflected in the underlying command-line tools options, displaying passwords and tokens on stdout and log files.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-22 16:32:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1811012, 1811013, 1811014, 1811015, 1811016, 1811017, 1811018, 1811019, 1811891, 1811892, 1811933, 1811934, 1885460 | ||
| Bug Blocks: | 1808553 | ||
|
Description
Borja Tarraso
2020-03-06 12:06:10 UTC
Acknowledgments: Name: Abhijeet Kasurde (Red Hat) Created ansible tracking bugs for this issue: Affects: openstack-rdo [bug 1811892] Mitigation: Currently, there is no mitigation for this issue. Created ansible tracking bugs for this issue: Affects: epel-all [bug 1811933] Affects: fedora-all [bug 1811934] Removing CloudForms from affects list. CloudForms 5.10 & 5.11 both subscribe to Ansible repos, so we do not need to include cfme5/ansible-tower in affects nor file trackers. ansible_engine/ansible_tower affects entries are sufficient to inform Cloudforms customers. kubectl connection plugin is not present in the older version of ansible shipped by Ceph and Gluster. Latest anisble version is pulled from core Ansible repo. This issue has been addressed in the following products: Red Hat Ansible Engine 2.9 for RHEL 7 Red Hat Ansible Engine 2.9 for RHEL 8 Via RHSA-2020:1541 https://access.redhat.com/errata/RHSA-2020:1541 This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 7 Red Hat Ansible Engine 2 for RHEL 8 Via RHSA-2020:1542 https://access.redhat.com/errata/RHSA-2020:1542 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1753 This issue has been addressed in the following products: Red Hat Ansible Engine 2.7 for RHEL 7 Via RHSA-2020:2142 https://access.redhat.com/errata/RHSA-2020:2142 Statement: Ansible Engine 2.7.17, 2.8.10, and 2.9.6 as well as previous versions are affected. Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected. In Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package. |