A flaw was found in the way Ansible passed certain parameters to the jenkins_plugin module. A remote attacker could use this flaw to expose sensitive information from a remote host's logs. This flaw was fixed by not allowing passwords to be specified in the "params" argument, and noting this in the module documentation.
It was discovered that jenkins_plugin module in Ansible exposes passwords with the params attribute in the system logs of the remote host. Low privileged user on remote host can access the logs and is able to log into Jenkins instance as administrator.
Name: Stefano Mazzucco (Kirontech)
Created ansible tracking bugs for this issue:
Affects: epel-all [bug 1495237]
Affects: fedora-all [bug 1495236]
I took a look at this bug upstream and filed: https://github.com/ansible/ansible/issues/30874
It looks to be mostly a documentation bug. The jenkins_plugin is a community written plugin. It logs into a jenkins server to manage plugins installed there. The plugin has the standard argument, url_password in order to authenticate to the jenkins server.
It also has a non-standard, params argument. The params argument takes a free-form dict of values and then override the normal module params with those arguments. This may have been added during development and then in module review mistaken as a set of arbitrary params that had to be passed to the jenkins server rather than being a supplement to the ansible module arguments. I've requested that the community maintainer of the module remove the params argument in the upstream bug report.
The documentation issue is that the module's documentation tells users to use the params to pass url_password into the module. Doing this bypasses the module's setting of no_log on the url_password. Instead, the module should document setting url_password via the proper url_password field. If the user use's the actual url_password argument then the password should be properly hidden.
I'll change the documentation immediately for our next upstream release.
I went a little further in the PR I eventually merged upstream: https://github.com/ansible/ansible/pull/30875 In addition to changing the documentation, the PR prevents the user from specifying url_password in the param argument (an error is raised if the user attempts to do so.) The PR has been applied in the 2.3.x, 2.4.x, and devel branches. If there's another release for 2.3.x, this change will be in 2.3.3. It will be in 2.4.1 (out in about a month). It will be in 2.5.0 (~4 months from now). If you want to apply the patch now, the changes in that PR applied cleanly on all of the branches.
Red Hat OpenStack Platform will no longer be updating the Ansible package in:
* Red Hat OpenStack Platform 10 (Newton)
* Red Hat OpenStack Platform 11 (Ocata)
As of Red Hat Enterprise Linux 7.4, customers can consume an updated Ansible package directly from the extras-rhel-7.4 channel. For more information, refer to Red Hat Enterprise Linux release information.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7 Extras
Via RHSA-2017:2966 https://access.redhat.com/errata/RHSA-2017:2966
Jenkins is not installed via ansible in Openshift Enterprise. Marking as notaffected.