Bug 1473645 (CVE-2017-7550) - CVE-2017-7550 ansible: jenkins_plugin module exposes passwords in remote host logs
Summary: CVE-2017-7550 ansible: jenkins_plugin module exposes passwords in remote host...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-7550
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1474154 1495236 1495237 1497788 1497794
Blocks: 1473646
TreeView+ depends on / blocked
 
Reported: 2017-07-21 11:30 UTC by Adam Mariš
Modified: 2019-09-29 14:16 UTC (History)
43 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way Ansible passed certain parameters to the jenkins_plugin module. A remote attacker could use this flaw to expose sensitive information from a remote host's logs. This flaw was fixed by not allowing passwords to be specified in the "params" argument, and noting this in the module documentation.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:17:22 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2966 normal SHIPPED_LIVE Moderate: ansible security, bug fix, and enhancement update 2017-10-19 18:53:42 UTC

Description Adam Mariš 2017-07-21 11:30:44 UTC
It was discovered that jenkins_plugin module in Ansible exposes passwords with the params attribute in the system logs of the remote host. Low privileged user on remote host can access the logs and is able to log into Jenkins instance as administrator.

Comment 1 Adam Mariš 2017-07-21 11:30:57 UTC
Acknowledgments:

Name: Stefano Mazzucco (Kirontech)

Comment 7 Borja Tarraso 2017-09-25 14:55:36 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1495237]
Affects: fedora-all [bug 1495236]

Comment 8 Toshio Kuratomi 2017-09-25 19:39:01 UTC
I took a look at this bug upstream and filed: https://github.com/ansible/ansible/issues/30874

It looks to be mostly a documentation bug.  The jenkins_plugin is a community written plugin.  It logs into a jenkins server to manage plugins installed there.  The plugin has the standard argument, url_password in order to authenticate to the jenkins server.

It also has a non-standard, params argument.  The params argument takes a free-form dict of values and then override the normal module params with those arguments.  This may have been added during development and then in module review mistaken as a set of arbitrary params that had to be passed to the jenkins server rather than being a supplement to the ansible module arguments.  I've requested that the community maintainer of the module remove the params argument in the upstream bug report.

The documentation issue is that the module's documentation tells users to use the params to pass url_password into the module.  Doing this bypasses the module's setting of no_log on the url_password.  Instead, the module should document setting url_password via the proper url_password field.  If the user use's the actual url_password argument then the password should be properly hidden.

I'll change the documentation immediately for our next upstream release.

Comment 9 Toshio Kuratomi 2017-09-26 01:40:09 UTC
I went a little further in the PR I eventually merged upstream: https://github.com/ansible/ansible/pull/30875  In addition to changing the documentation, the PR prevents the user from specifying url_password in the param argument (an error is raised if the user attempts to do so.)  The PR has been applied in the 2.3.x, 2.4.x, and devel branches.  If there's another release for 2.3.x, this change will be in 2.3.3.  It will be in 2.4.1 (out in about a month).  It will be in 2.5.0 (~4 months from now).  If you want to apply the patch now, the changes in that PR applied cleanly on all of the branches.

Comment 12 Martin Prpič 2017-10-19 10:34:09 UTC
Statement:

Red Hat OpenStack Platform will no longer be updating the Ansible package in: 

* Red Hat OpenStack Platform 10 (Newton)
* Red Hat OpenStack Platform 11 (Ocata)

As of Red Hat Enterprise Linux 7.4, customers can consume an updated Ansible package directly from the extras-rhel-7.4 channel. For more information, refer to Red Hat Enterprise Linux release information.

Comment 13 errata-xmlrpc 2017-10-19 15:20:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2017:2966 https://access.redhat.com/errata/RHSA-2017:2966

Comment 14 Jason Shepherd 2018-04-03 04:28:26 UTC
Jenkins is not installed via ansible in Openshift Enterprise. Marking as notaffected.


Note You need to log in before you can comment on or make changes to this bug.