Bug 1916813 (CVE-2021-20191)

Summary: CVE-2021-20191 ansible: multiple modules expose secured values
Product: [Other] Security Response Reporter: Borja Tarraso <btarraso>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: a.badger, bcoca, carnil, cmeyers, dbecker, dblechte, dfediuck, eedri, gblomqui, hvyas, jcammara, jjoyce, jobarker, jschluet, kevin, lhh, lpeer, mabashia, maxim, mburns, mgoldboi, michal.skrivanek, notting, puebele, relrod, rpetrell, samccann, sbonazzo, sclewis, sdoran, sherold, slinaber, smcdonal, tguha, tkuratom, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: ansible 2.9.18 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 19:02:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1916818, 1916819, 1916820, 1916862, 1916863, 1916864, 1917473, 1917474, 1917475, 1962577    
Bug Blocks: 1916830    

Description Borja Tarraso 2021-01-15 15:48:40 UTC
A few different modules leak sensitive data such as secret values. This could lead in disclosing those credentials for every user which has access to the output of playbook execution.

Comment 1 Borja Tarraso 2021-01-15 15:48:44 UTC

Name: Rick Elrod (Red Hat)

Comment 6 Trishna Guha 2021-01-18 10:52:38 UTC
This issue is addressed in https://github.com/ansible-collections/cisco.nxos/pull/227.

Comment 7 Tapas Jena 2021-01-18 14:46:58 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1917474]
Affects: fedora-all [bug 1917473]
Affects: openstack-rdo [bug 1917475]

Comment 12 Sandra McCann 2021-02-24 16:45:45 UTC
This CVE has been addressed in:

  * Ansible 2.8.19 and newer
  * Ansible 2.9.18 and newer
  * Ansible 2.10.7 and newer

As well as in the following Ansible Collections:

  * cisco.nxos 1.4.0 and newer
  * community.docker 1.2.2 and newer
  * community.general 1.3.6 and newer and 2.0.1 and newer
  * community.network 1.3.2 and newer and 2.0.1 and newer
  * google.cloud 1.0.2

Comment 13 errata-xmlrpc 2021-02-24 17:46:11 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 8
  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2021:0663 https://access.redhat.com/errata/RHSA-2021:0663

Comment 14 errata-xmlrpc 2021-02-24 17:47:03 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 8
  Red Hat Ansible Engine 2.9 for RHEL 7

Via RHSA-2021:0664 https://access.redhat.com/errata/RHSA-2021:0664

Comment 15 Product Security DevOps Team 2021-02-24 19:02:34 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 16 Hardik Vyas 2021-03-29 14:24:54 UTC

The version of ansible shipped with Red Hat Gluster Storage (RHGS) 3 includes the vulnerable `network/nxos/nxos_*` modules. However, RHGS 3 no longer maintains its own version of Ansible, prerequisite is to enable ansible repository in order to consume the latest version of ansible which has many bug and security fixes.

Comment 17 errata-xmlrpc 2021-04-06 13:20:47 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 1.2 for RHEL 7

Via RHSA-2021:1079 https://access.redhat.com/errata/RHSA-2021:1079

Comment 20 errata-xmlrpc 2021-06-01 13:23:38 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
  Red Hat Virtualization Engine 4.4
  Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8

Via RHSA-2021:2180 https://access.redhat.com/errata/RHSA-2021:2180