Bug 1831089 (CVE-2020-10729)
Summary: | CVE-2020-10729 Ansible: two random password lookups in same task return same value | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Borja Tarraso <btarraso> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | bcoca, jcammara, jtanner, rtillery, sdoran, tkuratom |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ansible-engine 2.9.6 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-05-05 08:19:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1810827, 1885435 | ||
Bug Blocks: | 1831074 |
Description
Borja Tarraso
2020-05-04 15:54:13 UTC
Upstream fix: https://github.com/ansible/ansible/pull/67429/ From Product Security perspective this vulnerability could expose a really wide set of services and configurations depending of end users usage. CVSS score could be from non-existing in case of not using more than one look up password to critical if all of them are generated, so depending of how many values are generated and where they are used. Later consequences after these values are leaked or guessed somehow could become critical. For this is reason we would consider a blocker any revert of the current solution even if this could affect performance, to avoid exposing end users in worst cases scenarios. Adverse behavioural changes or performance issues must be taken as bugs or enhancements separately. Acknowledgments: Name: Rihards Olups Fix included in the Ansible 2.9.6 release: https://access.redhat.com/errata/RHBA-2020:0784 External References: https://github.com/ansible/ansible/issues/34144 |