Bug 1939349 (CVE-2021-3447)

Summary: CVE-2021-3447 ansible: multiple modules expose secured values
Product: [Other] Security Response Reporter: Tapas Jena <tjena>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: a.badger, amctagga, anharris, asherlan, bcoca, bniver, carnil, chousekn, cmeyers, davidn, dbecker, dblechte, dfediuck, dylan, eedri, flucifre, gblomqui, gmeno, hvyas, jcammara, jhardy, jjoyce, jobarker, jschluet, kevin, lhh, lpeer, mabashia, maxim, mbenjamin, mburns, mgoldboi, mhackett, michal.skrivanek, nobody, notting, osapryki, puebele, relrod, rpetrell, sbonazzo, sclewis, sdoran, sherold, slinaber, smcdonal, sostapov, tkuratom, vereddy, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Red Hat Ansible Automation Platform 1.2.2, Ansible Tower 3.8.2 Doc Type: ---
Doc Text:
A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-09 17:35:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1939440, 1939441, 1939444, 1939445, 1939446, 1939447, 1939448, 1939449, 1967881, 1969368    
Bug Blocks: 1938335, 1939694    

Description Tapas Jena 2021-03-16 07:57:05 UTC 
A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality.
Comment 3 Tapas Jena 2021-03-16 12:15:32 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1939440]
Affects: fedora-all [bug 1939441]
Affects: openstack-rdo [bug 1939444]
Comment 5 Borja Tarraso 2021-03-17 06:36:04 UTC 
Acknowledgments:

Name: John Barker (Red Hat), Felix Fontein, Chen Zhi (Zhejiang University)
Comment 6 Salvatore Bonaccorso 2021-03-20 07:53:45 UTC 
Hi

As I would like to try to track this in right way as well in another downstream, do you know if this has an upstream issue reported?

Regards,
Comment 7 Tapas Jena 2021-03-24 15:41:58 UTC 
Hi,

I checked about the above asked and found no trace of any upstream issue report.However, I am not completely sure as of now.

Kind Regards,
Tapas J
Comment 9 Sage McTaggart 2021-03-29 15:20:50 UTC 
Statement:

Red Hat Gluster Storage 3 no longer maintains its own version of ansible, prerequisite is to enable ansible repository in order to consume the latest version of ansible which has many bug and security fixes.
Comment 10 errata-xmlrpc 2021-04-06 13:20:55 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 1.2 for RHEL 7

Via RHSA-2021:1079 https://access.redhat.com/errata/RHSA-2021:1079
Comment 11 Product Security DevOps Team 2021-04-09 17:35:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3447
Comment 12 errata-xmlrpc 2021-04-22 21:05:48 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 8
  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2021:1342 https://access.redhat.com/errata/RHSA-2021:1342
Comment 13 errata-xmlrpc 2021-04-22 21:06:31 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 8
  Red Hat Ansible Engine 2.9 for RHEL 7

Via RHSA-2021:1343 https://access.redhat.com/errata/RHSA-2021:1343
Comment 16 errata-xmlrpc 2021-07-22 15:06:49 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:2736 https://access.redhat.com/errata/RHSA-2021:2736
Comment 17 errata-xmlrpc 2021-07-22 15:26:02 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
  Red Hat Virtualization Engine 4.4
  Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8

Via RHSA-2021:2866 https://access.redhat.com/errata/RHSA-2021:2866