Bug 1869154 (CVE-2020-14365)
Summary: | CVE-2020-14365 ansible: dnf module install packages with no GPG signature | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Borja Tarraso <btarraso> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | bcoca, cmeyers, dbecker, gblomqui, gmainwar, hvyas, jcammara, jjoyce, jobarker, jschluet, jtanner, kbasil, lhh, lpeer, mabashia, mburns, notting, puebele, relrod, rhos-maint, rpetrell, sclewis, sdoran, security-response-team, slinaber, smcdonal, tkuratom, tvignaud, vbellur |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ansible-engine 2.8.15, ansible-engine 2.9.13 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in the Ansible Engine when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-09-02 01:17:27 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1869155, 1869156, 1869157, 1869158, 1869159, 1869160 | ||
Bug Blocks: | 1867550 |
Description
Borja Tarraso
2020-08-17 06:03:31 UTC
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. Acknowledgments: Name: Bruno Travouillon (Atos) This issue has been addressed in the following products: Red Hat Ansible Engine 2.8 for RHEL 7 Red Hat Ansible Engine 2.8 for RHEL 8 Via RHSA-2020:3600 https://access.redhat.com/errata/RHSA-2020:3600 This issue has been addressed in the following products: Red Hat Ansible Engine 2.9 for RHEL 8 Red Hat Ansible Engine 2.9 for RHEL 7 Via RHSA-2020:3601 https://access.redhat.com/errata/RHSA-2020:3601 This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 7 Red Hat Ansible Engine 2 for RHEL 8 Via RHSA-2020:3602 https://access.redhat.com/errata/RHSA-2020:3602 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14365 Statement: Ansible Engine 2.8.14 and 2.9.12 as well as previous versions versions are affected. Ansible Tower 3.7.2 and 3.6.5 as well as previous versions are affected for containerized versions and has been fixed indirectly in the 3.6.6 and 3.7.3 releases. For non-containerized Ansible Tower versions, the fix is provided via yum update or yum install. Red Hat Gluster Storage(RHGS) 3, Red Hat Ceph Storage (RHCS) 2 and 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository. As RHCS 2 and 3 do not use dnf, impact rating is reduced to Low. RHCS still ship ansible separately for Ceph on Ubuntu, but Ubuntu is not impacted by this vulnerability as it uses apt instead of dnf. Red Hat OpenStack Platform 10 and 13 ship a vulnerable version of Ansible, however installation of packages is done via yum instead of dnf so this flaw will have no effect. |