Bug 1975767 (CVE-2021-3620)

Summary: CVE-2021-3620 Ansible: ansible-connection module discloses sensitive info in traceback error message
Product: [Other] Security Response Reporter: Tapas Jena <tjena>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: a.badger, agilley, amctagga, anharris, asherlan, bcoca, bniver, carnil, chadams, chousekn, cmeyers, cperry, davidn, dblechte, dfediuck, dylan, eedri, flucifre, gblomqui, gmeno, hvyas, jcammara, jhardy, jjoyce, jobarker, jschluet, kevin, kyoshida, lhh, lpeer, mabashia, maxim, mbenjamin, mburns, meissner, mgoldboi, mhackett, michal.skrivanek, nobody, notting, osapryki, patrick, relrod, rpetrell, sbonazzo, sclewis, sdoran, security-response-team, sherold, slinaber, smcdonal, sostapov, tkuratom, tuxmealux+redhatbz, vereddy, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-14 20:08:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1976206, 1976863, 1976864, 1976865, 1977086, 1977592, 1977593, 1977598, 1977599, 1977600, 2014239    
Bug Blocks: 1969893, 1975967    

Comment 3 Salvatore Bonaccorso 2021-06-27 20:10:54 UTC
Any details (report upstream, fixing commits, etc ...) on this issue available?

Comment 4 Tapas Jena 2021-06-28 07:18:46 UTC
Hi @carnil,

You can refer the below link regarding the possible fix :
github.com/dalrrard/ansible/blob/devel/lib/ansible/module_utils/connection.py

Comment 5 Gianluca Gabrielli 2021-06-28 09:20:01 UTC
(In reply to Salvatore Bonaccorso from comment #3)
> Any details (report upstream, fixing commits, etc ...) on this issue
> available?

fe28767 [0] seems to be the fixing commit, if you find something more please share.

[0] https://github.com/dalrrard/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fac0

Comment 28 errata-xmlrpc 2021-10-14 19:40:21 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 7
  Red Hat Ansible Engine 2.9 for RHEL 8

Via RHSA-2021:3871 https://access.redhat.com/errata/RHSA-2021:3871

Comment 29 errata-xmlrpc 2021-10-14 19:40:56 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2021:3872 https://access.redhat.com/errata/RHSA-2021:3872

Comment 30 Product Security DevOps Team 2021-10-14 20:08:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3620

Comment 31 errata-xmlrpc 2021-10-14 20:19:19 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.0 for RHEL 8

Via RHSA-2021:3874 https://access.redhat.com/errata/RHSA-2021:3874

Comment 32 errata-xmlrpc 2021-11-16 14:45:38 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
  Red Hat Virtualization Engine 4.4
  Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8

Via RHSA-2021:4703 https://access.redhat.com/errata/RHSA-2021:4703

Comment 33 errata-xmlrpc 2021-11-19 19:21:46 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:4750 https://access.redhat.com/errata/RHSA-2021:4750

Comment 35 Tapas Jena 2021-12-29 11:19:05 UTC
Hi @psampaio,

Yes, we do have the "Fixed In" version for this bug. The concerned bug i.e. CVE-2021-3620 has been fixed in Ansible Engine 2.9.27. Please refer https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes for the same.

Let me know if you need any further info on this.