Bug 1856815 (CVE-2020-14330)

Summary: CVE-2020-14330 Ansible: masked keys for uri module are exposed into content and json output
Product: [Other] Security Response Reporter: Borja Tarraso <btarraso>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: VERIFIED --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: a.badger, adudiak, bcoca, gblomqui, hvyas, jcammara, jjoyce, jschluet, kbasil, kevin, lhh, lpeer, mabashia, maxim, mburns, pcahyna, sclewis, slinaber, smcdonal, stcannon, tfister, tkuratom, tvignaud
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: ansible-engine 2.9.12 Doc Type: If docs needed, set a value
Doc Text:
An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1856819, 1857185, 1857186, 1859484, 1859536, 1859843, 1867337, 1867882, 1867883, 1874346, 1874348, 1874350    
Bug Blocks: 1856696    

Description Borja Tarraso 2020-07-14 13:59:10 UTC
In Ansible Engine, when using uri module keys are not properly masked and sensitive data is exposed into content and json output.

Comment 1 Borja Tarraso 2020-07-14 13:59:13 UTC
External References:


Comment 2 Borja Tarraso 2020-07-14 13:59:16 UTC

There is no mitigation for this issue.

Comment 5 Borja Tarraso 2020-07-15 08:44:53 UTC

Name: Hung Luong

Comment 6 Borja Tarraso 2020-07-15 11:14:44 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1857185]
Affects: fedora-all [bug 1857186]

Comment 8 Borja Tarraso 2020-07-22 11:03:26 UTC
Created ansible tracking bugs for this issue:

Affects: openstack-rdo [bug 1859536]

Comment 12 Borja Tarraso 2020-07-23 07:43:23 UTC
The correct upstream PR which fixes this particular issue is: https://github.com/ansible/ansible/pull/70762/

Comment 19 Borja Tarraso 2020-10-05 15:34:29 UTC
This has been fixed in 2.9.12 upstream and 2.9.13 downstream.

Comment 21 Summer Long 2021-01-18 01:27:46 UTC

Red Hat Ansible Engine 2.9.12 (downstream) and Ansible Engine 2.9.11 (upstream), as well as previous versions are affected by this flaw. Ansible Engine 2.9.12 version (upstream) on towards fixes the issue for upstream and Red Hat Ansible Engine 2.9.13 version is fixed (downstream).

Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 ships the affected version of Ansible, but they no longer maintain their own version of Ansible. Both the products will consume fixes directly from the Ansible repository. As we still ship Ansible separately for Ceph on Ubuntu, a future update may address this issue.

In Red Hat OpenStack Platform, because ansible is not directly customer exposed (so that the flaw could not be exploited) and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package. Note: Red Hat Open Stack Platform 15 and newer consume fixes directly from the Ansible repository.