Bug 1977965 (CVE-2021-3702)
Summary: | CVE-2021-3702 ansible-runner: Race condition with temporary files in tempfile.TemporaryDirectory() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | akarol, amctagga, anharris, aos-bugs, aos-install, bbuckingham, bcoca, bcourt, bkearney, bmontgom, bniver, btotty, chousekn, cmeyers, davidn, dblechte, dfediuck, dmetzger, dradez, eedri, ehelms, eparis, flucifre, gblomqui, gmccullo, gmeno, gtanzill, hvyas, jburrell, jcammara, jhardy, jjoyce, jobarker, jokerman, jschluet, jsherril, lhh, lpeer, lzap, mabashia, mbenjamin, mburns, mcooper, mgoldboi, mhackett, mhulan, michal.skrivanek, mmccune, myarboro, nmoumoul, nstielau, obarenbo, orabin, osapryki, pcreech, rchan, relrod, rjerrido, roliveri, rpetrell, sbonazzo, sclewis, sdoran, sherold, simaishi, slinaber, smallamp, smcdonal, sokeeffe, sostapov, sponnaga, tkuratom, vereddy, yturgema |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A race condition flaw was found in ansible-runner, where an attacker could watch for rapid creation and deletion of a temporary directory, substitute their directory at that name, and then have access to ansible-runner's private_data_dir the next time ansible-runner made use of the private_data_dir. The highest Threat out of this flaw is to integrity and confidentiality.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-11-12 17:27:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1977966, 1977967, 1977968 | ||
Bug Blocks: | 1977971 |
Description
Pedro Sampaio
2021-06-30 19:51:37 UTC
Created python-ansible-runner tracking bugs for this issue: Affects: epel-7 [bug 1977968] Affects: fedora-all [bug 1977967] Affects: openstack-rdo [bug 1977966] Red Hat Ceph Storage 4 does not ship the affected code, and has been marked not affected. In OCP 4.7, version 1.4.6-2 is packaged and is too old to have the vulnerable code - uses the secure version of mkstemp: https://github.com/ansible/ansible-runner/blob/26a06567df037889f15e4b2eaa29919c6637986f/ansible_runner/utils.py#L151 In OCP 3.11, version 1.2.0-1 is packaged and uses the secure version of make temp: https://github.com/ansible/ansible-runner/blob/94f58c7c3667102dbafbf3b2349322c594deeccc/ansible_runner/utils.py#L143 Looks like the vulnerable code got refactored around version 2 https://github.com/ansible/ansible-runner/commit/93e95a3df9021a38010386d07df121392d249253 Well in hindsight even if the above ^ aren't the refactor'ed, the older versions still don't contain the code to insecurely create a temp dir. Analysis is complete for all the concerned Ansible components and it was found that AAP 1.2 and Ansible Tower are affected by this vulnerability. However, AAP 2.0 is "Not Affected" by this vulnerability as it ships ansible-runner 2.0.1 which already contains the fix for this issue. This vulnerability was part of ansible_runner_2.0 but was fixed before it got published it. It was fixed by this PR https://github.com/ansible/ansible-runner/pull/742 (the commits in that PR got back-port to release_2.0 before we went GA) This code wasn't part of 1.4 - so no released version of runner is actually impacted by this. Finally, no any shipped ansible runner version from Red Hat has been facing the issue. Hence, though this was marked as "affected" initially, marking it back to "not affected" . However, since this is a valid vulnerability, the CVE will remain valid as well. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3702 |