Bug 1914774 (CVE-2021-20178)

Summary: CVE-2021-20178 ansible: user data leak in snmp_facts module
Product: [Other] Security Response Reporter: Tapas Jena <tjena>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: a.badger, bcoca, carnil, cmeyers, dbecker, dblechte, d.busby, dfediuck, eedri, gblomqui, hvyas, jcammara, jjoyce, jobarker, jschluet, kevin, lhh, lpeer, mabashia, maxim, mburns, mgoldboi, michal.skrivanek, notting, puebele, relrod, rpetrell, sbonazzo, sclewis, sdoran, security-response-team, sherold, slinaber, smcdonal, tkuratom, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ansible 2.9.18 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in ansible. The 'authkey' and 'privkey' credentials are disclosed by default and not protected by no_log feature when using the snmp_facts module. Attackers could take advantage of this information to steal the SNMP credentials. The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 19:02:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1914806, 1914807, 1914808, 1917287, 1917330, 1917331, 1917332, 1917333, 1917334, 1962577    
Bug Blocks: 1913193, 1942838    

Description Tapas Jena 2021-01-11 08:19:29 UTC 
snmp_facts module in Ansible leaks user authentication such as authKey and privKey. This could lead in disclosing those credentials for every user which has access to the output of playbook execution.
Comment 1 Tapas Jena 2021-01-11 08:19:34 UTC 
Acknowledgments:

Name: Abhijeet Kasurde (Red Hat)
Comment 5 Salvatore Bonaccorso 2021-01-12 06:35:57 UTC 
Hi

Is there a upstream issue reference for this issue?

Regards,
Salvatore
Comment 6 Tapas Jena 2021-01-12 10:15:09 UTC 
Hi,
Please refer the below for upstream reference for this issue.
https://github.com/ansible-collections/community.general/pull/1621 

Kind Regards,
Tapas J
Comment 7 Salvatore Bonaccorso 2021-01-12 16:12:06 UTC 
Hi Tapas,

Thank you.

Regards,
Salvatore
Comment 8 Borja Tarraso 2021-01-18 09:11:15 UTC 
Created ansible tracking bugs for this issue:

Affects: fedora-all [bug 1917287]
Comment 9 Tapas Jena 2021-01-18 10:09:58 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1917330]
Comment 10 Tapas Jena 2021-01-18 10:14:38 UTC 
Created ansible tracking bugs for this issue:

Affects: openstack-rdo [bug 1917331]
Comment 16 errata-xmlrpc 2021-02-24 17:46:11 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 8
  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2021:0663 https://access.redhat.com/errata/RHSA-2021:0663
Comment 17 errata-xmlrpc 2021-02-24 17:46:55 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 8
  Red Hat Ansible Engine 2.9 for RHEL 7

Via RHSA-2021:0664 https://access.redhat.com/errata/RHSA-2021:0664
Comment 18 Product Security DevOps Team 2021-02-24 19:02:24 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20178
Comment 19 Hardik Vyas 2021-03-29 14:22:11 UTC 
Statement:

The version of ansible shipped with Red Hat Gluster Storage (RHGS) 3 includes the vulnerable snmp module. However, RHGS 3 no longer maintains its own version of Ansible, prerequisite is to enable ansible repository in order to consume the latest version of ansible which has many bug and security fixes.
Comment 20 errata-xmlrpc 2021-04-06 13:20:42 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 1.2 for RHEL 7

Via RHSA-2021:1079 https://access.redhat.com/errata/RHSA-2021:1079
Comment 23 David Busby 2021-06-01 11:59:55 UTC 
Please note the filing of CVE-2020-20178 links to this BZ (https://bugzilla.redhat.com/show_bug.cgi?id=1914774), (see: https://nvd.nist.gov/vuln/detail/CVE-2020-20178) 

However there is no mention of OpenLDAP issue being affected in this BZ despite the CVE filing noting the OpenLDAP issue "A flaw was found in OpenLDAP. This flaw allows an attacker who can send a malicious packet to be processed by OpenLDAP’s slapd server, to trigger an assertion failure. The highest threat from this vulnerability is to system availability." 

Instead should the CVE filing note this BZ link: https://bugzilla.redhat.com/show_bug.cgi?id=1928774 and https://bugzilla.redhat.com/show_bug.cgi?id=1899675 instead of https://bugzilla.redhat.com/show_bug.cgi?id=1914774 ?
Comment 24 errata-xmlrpc 2021-06-01 13:23:33 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
  Red Hat Virtualization Engine 4.4
  Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8

Via RHSA-2021:2180 https://access.redhat.com/errata/RHSA-2021:2180