Bug 1975767 (CVE-2021-3620)
| Summary: | CVE-2021-3620 Ansible: ansible-connection module discloses sensitive info in traceback error message | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tapas Jena <tjena> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | a.badger, agilley, amctagga, anharris, asherlan, bcoca, bniver, carnil, chadams, chousekn, cmeyers, cperry, davidn, dblechte, dfediuck, dylan, eedri, flucifre, gblomqui, gmeno, hvyas, jcammara, jhardy, jjoyce, jobarker, jschluet, kevin, kyoshida, lhh, lpeer, mabashia, maxim, mbenjamin, mburns, meissner, mgoldboi, mhackett, michal.skrivanek, nobody, notting, osapryki, patrick, relrod, rpetrell, sbonazzo, sclewis, sdoran, security-response-team, sherold, slinaber, smcdonal, sostapov, tkuratom, tuxmealux+redhatbz, vereddy, yturgema |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-14 20:08:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1976206, 1976863, 1976864, 1976865, 1977086, 1977592, 1977593, 1977598, 1977599, 1977600, 2014239 | ||
| Bug Blocks: | 1969893, 1975967 | ||
|
Comment 3
Salvatore Bonaccorso
2021-06-27 20:10:54 UTC
Hi @carnil, You can refer the below link regarding the possible fix : github.com/dalrrard/ansible/blob/devel/lib/ansible/module_utils/connection.py (In reply to Salvatore Bonaccorso from comment #3) > Any details (report upstream, fixing commits, etc ...) on this issue > available? fe28767 [0] seems to be the fixing commit, if you find something more please share. [0] https://github.com/dalrrard/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fac0 This issue has been addressed in the following products: Red Hat Ansible Engine 2.9 for RHEL 7 Red Hat Ansible Engine 2.9 for RHEL 8 Via RHSA-2021:3871 https://access.redhat.com/errata/RHSA-2021:3871 This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 7 Red Hat Ansible Engine 2 for RHEL 8 Via RHSA-2021:3872 https://access.redhat.com/errata/RHSA-2021:3872 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3620 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.0 for RHEL 8 Via RHSA-2021:3874 https://access.redhat.com/errata/RHSA-2021:3874 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Red Hat Virtualization Engine 4.4 Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8 Via RHSA-2021:4703 https://access.redhat.com/errata/RHSA-2021:4703 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2021:4750 https://access.redhat.com/errata/RHSA-2021:4750 Hi @psampaio, Yes, we do have the "Fixed In" version for this bug. The concerned bug i.e. CVE-2021-3620 has been fixed in Ansible Engine 2.9.27. Please refer https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes for the same. Let me know if you need any further info on this. |