Bug 1977965 (CVE-2021-3702)

Summary: CVE-2021-3702 ansible-runner: Race condition with temporary files in tempfile.TemporaryDirectory()
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akarol, amctagga, anharris, aos-bugs, aos-install, bbuckingham, bcoca, bcourt, bkearney, bmontgom, bniver, btotty, chousekn, cmeyers, davidn, dblechte, dfediuck, dmetzger, dradez, eedri, ehelms, eparis, flucifre, gblomqui, gmccullo, gmeno, gtanzill, hvyas, jburrell, jcammara, jhardy, jjoyce, jobarker, jokerman, jschluet, jsherril, lhh, lpeer, lzap, mabashia, mbenjamin, mburns, mcooper, mgoldboi, mhackett, mhulan, michal.skrivanek, mmccune, myarboro, nmoumoul, nstielau, obarenbo, orabin, osapryki, pcreech, rchan, relrod, rjerrido, roliveri, rpetrell, sbonazzo, sclewis, sdoran, sherold, simaishi, slinaber, smallamp, smcdonal, sokeeffe, sostapov, sponnaga, tkuratom, vereddy, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A race condition flaw was found in ansible-runner, where an attacker could watch for rapid creation and deletion of a temporary directory, substitute their directory at that name, and then have access to ansible-runner's private_data_dir the next time ansible-runner made use of the private_data_dir. The highest Threat out of this flaw is to integrity and confidentiality.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-12 17:27:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1977966, 1977967, 1977968    
Bug Blocks: 1977971    

Description Pedro Sampaio 2021-06-30 19:51:37 UTC
A race condition was found in ansible-runner where an attacker could watch for a rapid creation and deletion of a temporary directory,
substitute their own directory at that name, and then have access to ansible-runner's private_data_dir the next time ansible-runner made
use of the private_data_dir.

Upstream patch:

https://github.com/ansible/ansible-runner/pull/742/commits/0e9aa8a97e7832ef9a1553ef2908632a32d2b8c4

Comment 1 Pedro Sampaio 2021-06-30 19:52:23 UTC
Created python-ansible-runner tracking bugs for this issue:

Affects: epel-7 [bug 1977968]
Affects: fedora-all [bug 1977967]
Affects: openstack-rdo [bug 1977966]

Comment 4 Sage McTaggart 2021-07-02 20:50:49 UTC
Red Hat Ceph Storage 4 does not ship the affected code, and has been marked not affected.

Comment 5 Mark Cooper 2021-07-05 07:40:54 UTC
In OCP 4.7, version 1.4.6-2 is packaged and is too old to have the vulnerable code - uses the secure version of mkstemp:
https://github.com/ansible/ansible-runner/blob/26a06567df037889f15e4b2eaa29919c6637986f/ansible_runner/utils.py#L151

In OCP 3.11, version 1.2.0-1 is packaged and uses the secure version of make temp:
https://github.com/ansible/ansible-runner/blob/94f58c7c3667102dbafbf3b2349322c594deeccc/ansible_runner/utils.py#L143

Looks like the vulnerable code got refactored around version 2 https://github.com/ansible/ansible-runner/commit/93e95a3df9021a38010386d07df121392d249253

Comment 6 Mark Cooper 2021-07-05 12:32:47 UTC
Well in hindsight even if the above ^ aren't the refactor'ed, the older versions still don't contain the code to insecurely create a temp dir.

Comment 8 Tapas Jena 2021-08-11 17:34:43 UTC
Analysis is complete for all the concerned Ansible components and it was found that AAP 1.2 and Ansible Tower are affected by this vulnerability. However, AAP 2.0 is "Not Affected" by this vulnerability as it ships ansible-runner 2.0.1 which already contains the fix for this issue.

Comment 11 Tapas Jena 2021-11-12 17:16:58 UTC
This vulnerability was part of ansible_runner_2.0 but was fixed before it got published it.  It was fixed by this PR https://github.com/ansible/ansible-runner/pull/742 (the commits in that PR got back-port to release_2.0 before we went GA)
This code wasn't part of 1.4 - so no released version of runner is actually impacted by this.

Finally, no any shipped ansible runner version from Red Hat has been facing the issue. Hence, though this was marked as "affected" initially, marking it back to "not affected" . However, since this is a valid vulnerability, the CVE will remain valid as well.

Comment 12 Product Security DevOps Team 2021-11-12 17:27:15 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3702