Bug 2259013 (CVE-2024-0690)

Summary: CVE-2024-0690 ansible-core: possible information leak in tasks that ignore ANSIBLE_NO_LOG configuration
Product: [Other] Security Response Reporter: Zack Miele <zmiele>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, bfinger, davidn, epacific, hkataria, jcammara, jhardy, jmitchel, jneedle, jobarker, jtanner, kshier, kyoshida, mabashia, rbobbitt, simaishi, smcdonal, stcannon, teagle, tfister, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ansible 2.14.4, ansible 2.15.9, ansible 2.16.3 Doc Type: If docs needed, set a value
Doc Text:
An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2259021, 2259029, 2259030, 2259031    
Bug Blocks: 2259009    

Description Zack Miele 2024-01-18 16:02:02 UTC 
The `ANSIBLE_NO_LOG` environment variable configuration is currently being ignored. This impacts ansible-core 2.14, 2.15, and 2.16 supported releases (present in AAP 2.3 and 2.4)

There are workarounds, such as explicitly setting `no_log` within the playbook, but anyone relying on a global configuration is impacted.
Comment 2 Zack Miele 2024-01-18 17:10:14 UTC 
Created ansible-core tracking bugs for this issue:

Affects: fedora-39 [bug 2259021]
Comment 4 Borja Tarraso 2024-01-18 18:33:47 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-8 [bug 2259029]
Affects: fedora-38 [bug 2259030]
Affects: fedora-39 [bug 2259031]
Comment 6 errata-xmlrpc 2024-02-07 20:42:41 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:0733 https://access.redhat.com/errata/RHSA-2024:0733
Comment 7 errata-xmlrpc 2024-04-30 09:55:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2246 https://access.redhat.com/errata/RHSA-2024:2246
Comment 8 errata-xmlrpc 2024-05-22 09:39:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3043 https://access.redhat.com/errata/RHSA-2024:3043