Bug 1869154 (CVE-2020-14365)

Summary: CVE-2020-14365 ansible: dnf module install packages with no GPG signature
Product: [Other] Security Response Reporter: Borja Tarraso <btarraso>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bcoca, cmeyers, dbecker, gblomqui, gmainwar, hvyas, jcammara, jjoyce, jobarker, jschluet, jtanner, kbasil, lhh, lpeer, mabashia, mburns, notting, puebele, relrod, rhos-maint, rpetrell, sclewis, sdoran, security-response-team, slinaber, smcdonal, tkuratom, tvignaud, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ansible-engine 2.8.15, ansible-engine 2.9.13 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Ansible Engine when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-02 01:17:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1869155, 1869156, 1869157, 1869158, 1869159, 1869160    
Bug Blocks: 1867550    

Description Borja Tarraso 2020-08-17 06:03:31 UTC
The dnf ansible module is not checking GPG signatures when installing packages. This allows installing malicious packages previously stored in the dnf repository. This could lead in an integrity problem and service availability disruption.

Comment 2 Borja Tarraso 2020-08-17 06:03:39 UTC
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 6 Borja Tarraso 2020-08-21 08:14:28 UTC
Acknowledgments:

Name: Bruno Travouillon (Atos)

Comment 11 errata-xmlrpc 2020-09-01 19:30:59 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.8 for RHEL 7
  Red Hat Ansible Engine 2.8 for RHEL 8

Via RHSA-2020:3600 https://access.redhat.com/errata/RHSA-2020:3600

Comment 12 errata-xmlrpc 2020-09-01 19:31:39 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 8
  Red Hat Ansible Engine 2.9 for RHEL 7

Via RHSA-2020:3601 https://access.redhat.com/errata/RHSA-2020:3601

Comment 13 errata-xmlrpc 2020-09-01 19:32:16 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2020:3602 https://access.redhat.com/errata/RHSA-2020:3602

Comment 15 Product Security DevOps Team 2020-09-02 01:17:27 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14365

Comment 26 Borja Tarraso 2020-11-03 07:40:40 UTC
Statement:

Ansible Engine 2.8.14 and 2.9.12 as well as previous versions versions are affected.

Ansible Tower 3.7.2 and 3.6.5 as well as previous versions are affected for containerized versions and has been fixed indirectly in the 3.6.6 and 3.7.3 releases. For non-containerized Ansible Tower versions, the fix is provided via yum update or yum install.

Red Hat Gluster Storage(RHGS) 3, Red Hat Ceph Storage (RHCS) 2 and 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository. As RHCS 2 and 3 do not use dnf, impact rating is reduced to Low. RHCS still ship ansible separately for Ceph on Ubuntu, but Ubuntu is not impacted by this vulnerability as it uses apt instead of dnf.

Red Hat OpenStack Platform 10 and 13 ship a vulnerable version of Ansible, however installation of packages is done via yum instead of dnf so this flaw will have no effect.