It was found that ansible does not sanitize task content before sending it to the callback plugins when using no_log directive.
Acknowledgments: Name: David Moreau Simard (Red Hat)
Created ansible1.9 tracking bugs for this issue: Affects: fedora-all [bug 1441406] Affects: epel-all [bug 1441408]
Created ansible tracking bugs for this issue: Affects: fedora-all [bug 1441405] Affects: epel-all [bug 1441407]
A few of us working on Ansible upstream talked about this with btarraso last week. We decided this is not a bug in Ansible but in any callback plugins which are not sanitizing information which they output. * Callback plugins could legitimately be using that information so we have to pass it on to them. * Ansible runs the callback plugins in-process so there's no way to protect against malicious callback plugins getting access to that information a different way and then using it. Even if we ran them out of process, they would still run as the user invoking ansible so there are still a variety of ways a malicious plugin could make changes that would eventually yield that information. You have to trust your plugins. Note that the changelog entry noted above "* modules and callbacks have been extended to support no_log to avoid data disclosure" is not about this issue. we have two features which use the no_log keyword. One is task-level no_log which says not to log any of the information about a task (other than it ran successfully or not) is what this bug seems to be raised on. The other is module arguments which are marked as no_log in the module's code which is what the changelog entry is about.
Statement: Ansible Security Team and Red Hat Product Security determined that this is not a vulnerability.