Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1440912 - (CVE-2017-7473) CVE-2017-7473 ansible: Potential information disclosure via no_log directive
CVE-2017-7473 ansible: Potential information disclosure via no_log directive
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170411,repor...
: Security
Depends On: 1441406 1441405 1441407 1441408 1446536
Blocks: 1440915
  Show dependency treegraph
 
Reported: 2017-04-10 14:00 EDT by Adam Mariš
Modified: 2018-06-29 18:19 EDT (History)
32 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Ansible versions 2.2.3 and earlier are vulnerable to an information disclosure flaw due to the interaction of call back plugins and the no_log directive (information may not be sanitized properly).
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Adam Mariš 2017-04-10 14:00:35 EDT 
It was found that ansible does not sanitize task content before sending it to the callback plugins when using no_log directive.
Comment 1 Adam Mariš 2017-04-10 14:00:52 EDT 
Acknowledgments:

Name: David Moreau Simard (Red Hat)
Comment 3 Kurt Seifried 2017-04-11 17:23:16 EDT 
Created ansible1.9 tracking bugs for this issue:

Affects: fedora-all [bug 1441406]
Affects: epel-all [bug 1441408]
Comment 4 Kurt Seifried 2017-04-11 17:23:34 EDT 
Created ansible tracking bugs for this issue:

Affects: fedora-all [bug 1441405]
Affects: epel-all [bug 1441407]
Comment 21 Summer Long 2017-07-25 00:37:41 EDT 
Statement:

Red Hat OpenStack Platform will no longer be updating the Ansible package in: 
* Red Hat OpenStack Platform 10 (Newton)
* Red Hat OpenStack Platform 11 (Ocata)

As of Red Hat Enterprise Linux 7.4, customers can consume an updated Ansible package directly from the extras-rhel-7.4 channel. For more information, refer to Red Hat Enterprise Linux release information.
Comment 22 Toshio Kuratomi 2017-10-30 16:44:32 EDT 
A few of us working on Ansible upstream talked about this with btarraso last week.  We decided this is not a bug in Ansible but in any callback plugins which are not sanitizing information which they output.

* Callback plugins could legitimately be using that information so we have to pass it on to them.
* Ansible runs the callback plugins in-process so there's no way to protect against malicious callback plugins getting access to that information a different way and then using it.  Even if we ran them out of process, they would still run as the user invoking ansible so there are still a variety of ways a malicious plugin could make changes that would eventually yield that information.  You have to trust your plugins.

Note that the changelog entry noted above "* modules and callbacks have been extended to support no_log to avoid data disclosure" is not about this issue.  we have two features which use the no_log keyword.  One is task-level no_log which says not to log any of the information about a task (other than it ran successfully or not) is what this bug seems to be raised on.  The other is module arguments which are marked as no_log in the module's code which is what the changelog entry is about.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.