Bug 1916813 (CVE-2021-20191)
| Summary: | CVE-2021-20191 ansible: multiple modules expose secured values | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Borja Tarraso <btarraso> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | a.badger, bcoca, carnil, cmeyers, dbecker, dblechte, dfediuck, eedri, gblomqui, hvyas, jcammara, jjoyce, jobarker, jschluet, kevin, lhh, lpeer, mabashia, maxim, mburns, mgoldboi, michal.skrivanek, notting, puebele, relrod, rpetrell, samccann, sbonazzo, sclewis, sdoran, sherold, slinaber, smcdonal, tguha, tkuratom, yturgema |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ansible 2.9.18 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-02-24 19:02:34 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1916818, 1916819, 1916820, 1916862, 1916863, 1916864, 1917473, 1917474, 1917475, 1962577 | ||
| Bug Blocks: | 1916830 | ||
|
Description
Borja Tarraso
2021-01-15 15:48:40 UTC
Acknowledgments: Name: Rick Elrod (Red Hat) This issue is addressed in https://github.com/ansible-collections/cisco.nxos/pull/227. Created ansible tracking bugs for this issue: Affects: epel-all [bug 1917474] Affects: fedora-all [bug 1917473] Affects: openstack-rdo [bug 1917475] This CVE has been addressed in: * Ansible 2.8.19 and newer * Ansible 2.9.18 and newer * Ansible 2.10.7 and newer As well as in the following Ansible Collections: * cisco.nxos 1.4.0 and newer * community.docker 1.2.2 and newer * community.general 1.3.6 and newer and 2.0.1 and newer * community.network 1.3.2 and newer and 2.0.1 and newer * google.cloud 1.0.2 This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 8 Red Hat Ansible Engine 2 for RHEL 7 Via RHSA-2021:0663 https://access.redhat.com/errata/RHSA-2021:0663 This issue has been addressed in the following products: Red Hat Ansible Engine 2.9 for RHEL 8 Red Hat Ansible Engine 2.9 for RHEL 7 Via RHSA-2021:0664 https://access.redhat.com/errata/RHSA-2021:0664 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-20191 Statement: The version of ansible shipped with Red Hat Gluster Storage (RHGS) 3 includes the vulnerable `network/nxos/nxos_*` modules. However, RHGS 3 no longer maintains its own version of Ansible, prerequisite is to enable ansible repository in order to consume the latest version of ansible which has many bug and security fixes. This issue has been addressed in the following products: Red Hat Ansible Automation Platform 1.2 for RHEL 7 Via RHSA-2021:1079 https://access.redhat.com/errata/RHSA-2021:1079 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Red Hat Virtualization Engine 4.4 Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8 Via RHSA-2021:2180 https://access.redhat.com/errata/RHSA-2021:2180 |