Bug 1818924 (CVE-2020-10698)

Summary: CVE-2020-10698 Tower: normal users can intercept stdout from jobs running in other organizations
Product: [Other] Security Response Reporter: Borja Tarraso <btarraso>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: gblomqui, jneedle, mabashia, smcdonal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ansible_tower 3.6.4, ansible_tower 3.5.6, ansible_tower 3.4.6 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Ansible Tower when running jobs. This flaw allows an attacker to access the stdout of the executed jobs which are run from other organizations. Some sensible data can be disclosed. However, critical data should not be disclosed, as it should be protected by the no_log flag when debugging is enabled.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1818925, 1818926, 1818927    
Bug Blocks: 1818771    

Description Borja Tarraso 2020-03-30 17:38:27 UTC 
Ansible Tower should prevent ws group subscription if not specified in the valid format. Otherwise this would allow normal users intercept stdout from jobs running in other organizations.
Comment 1 Borja Tarraso 2020-03-30 17:38:32 UTC 
Acknowledgments:

Name: Ryan Petrello (Red Hat)
Comment 2 Borja Tarraso 2020-03-30 17:38:35 UTC 
Statement:

Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.
Comment 6 Borja Tarraso 2020-03-30 17:53:02 UTC 
Mitigation:

This issue is possible to mitigate by disabling the stdout from jobs run through the nginx configuration file. However this may affect the usage of Tower as stdout stream would be hidden. To disable the output of running jobs the entire 'location /websocket' block from the nginx configuration (and restarting nginx service) it would be required. Nginx will stop serving /websocket by 404 HTTP code return.
Comment 7 Borja Tarraso 2020-03-30 18:18:41 UTC 
awx link: https://github.com/ansible/awx/pull/6465