Bug 1956464 (CVE-2021-3532)

Summary: CVE-2021-3532 ansible: async_file sensitive information disclosure
Product: [Other] Security Response Reporter: Tapas Jena <tjena>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: a.badger, adudiak, asherlan, bcoca, dassa.asaf, davidn, dylan, gblomqui, jcammara, jguiditt, jhardy, jjoyce, jobarker, jschluet, kevin, kshier, lhh, lpeer, mabashia, maxim, mburns, mcepl, osapryki, patrick, relrod, rpetrell, sclewis, slinaber, smcdonal, stcannon, tfister, tkuratom, tuxmealux+redhatbz, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Ansible. Confidential information is disclosed in async_files when the user changes the jobdir to a world-readable directory. Any confidential information in an async status file will be readable by a malicious user on that system.
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-01-09 11:17:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1959074, 1959075, 1959076, 1959077, 1959079, 1959081, 1959082, 1959083, 1959084, 1959085, 1959086    
Bug Blocks: 1887243, 1956478    

Description Tapas Jena 2021-05-03 18:18:01 UTC
When an user changes the jobdir of async_files to a world readable directory, ansible writes the async status files directly into the world readable directory using umask to determine the file's permissions.  The umask on most systems allow world readable files.  This means that any secret information in an "async_status" file will be readable by a malicious user on that system.

Comment 3 Tapas Jena 2021-05-10 16:57:11 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1959083]
Affects: fedora-all [bug 1959082]
Affects: openstack-rdo [bug 1959081]

Comment 4 Tapas Jena 2021-05-10 16:57:41 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1959086]
Affects: fedora-all [bug 1959085]
Affects: openstack-rdo [bug 1959084]