Bug 2293576 (CVE-2024-6234)

Summary: CVE-2024-6234 ansible-automation-platform: EDA server exposes websocket jwt when running rulebook activations in debug mode
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: brking, epacific, haoli, hkataria, jajackso, jcammara, jhardy, jmitchel, jneedle, jobarker, kegrant, koliveir, kshier, mabashia, omaciel, pbraun, security-response-team, shvarugh, simaishi, smcdonal, stcannon, teagle, tfister, thavo, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Ansible Automation Platform. The Event-Driven Ansible server exposes the WebSocket JSON web token (JWT) when running Rulebook activations in debug mode, which, if obtained by an attacker, can be used to connect to the socket and issue commands that return Playbook content or other sensitive data.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2293577    

Description Robb Gatica 2024-06-21 02:03:15 UTC 
Summary:
EDA server exposes websocket jwt when running rulebook activations in debug mode. The jwt is sensitive and should never be exposed.

Steps to Reproduce:
1. Make an Automation Decision

2. Make a Project.

3. Create a Rulebook Activiation from the project you created and set the log level to Debug

4. Activate it

Expected results:
For the Authorization to be redacted
2024-06-07 17:23:31,360 - websockets.client - DEBUG - > Authorization:
Bearer e ****

Actual results:
2024-06-07 17:23:31,360 - websockets.client - DEBUG - > Authorization:
Bearer [**redacted jwt**]

Additional Information:
- The bearer value is jwt and can be based64 decoded i.e. You can use the Bearer secret to connect to the websocket.

- Once connected you can issue commands that return playbook content and other secrets injected. In this case it's showing an EDA credential w/ Controller username and Token that I associated with the rulebook activation.

- It seems likely that the fix for a previous websocket vulnerability introduced this vulnerability