Bug 2229979 (CVE-2023-4237)

Summary: CVE-2023-4237 ansible automation platform: ec2_key module prints out the private key directly to the standard output
Product: [Other] Security Response Reporter: Vipul Nair <vinair>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, davidn, epacific, jcammara, jhardy, jneedle, jobarker, kshier, mabashia, osapryki, simaishi, smcdonal, stcannon, teagle, tfister, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system's confidentiality, integrity, and availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2229966    

Description Vipul Nair 2023-08-08 11:15:56 UTC 
"When creating a new keypair the ec2_key module prints out the private key directly to the standard output. I wasn't able to find any way to disable this behavior in the module's documentation. This makes it unusable in any kind of public CI workflow such as GHA."

Confirmed impacting all collection releases, and back to ansible-core 2.8 (did not test further back).
Comment 4 Borja Tarraso 2023-11-17 19:45:59 UTC 
This issue has been solved in the following releases:

https://access.redhat.com/errata/RHBA-2023:5666
https://access.redhat.com/errata/RHBA-2023:5653