Bug 1588855 (CVE-2018-10855) - CVE-2018-10855 ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs
Summary: CVE-2018-10855 ansible: Failed tasks do not honour no_log option allowing for...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-10855
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1589298 1589299 1589301 1589303 1589304 1590199 1590200 1590503 1590504 1590505 1590642 1590643 1590644 1590664 1590675 1590676 1590677
Blocks: 1588859
TreeView+ depends on / blocked
 
Reported: 2018-06-08 00:14 UTC by Sam Fowler
Modified: 2022-03-13 15:05 UTC (History)
83 users (show)

Fixed In Version: Ansible 2.4.5, Ansible 2.5.5
Clone Of:
Environment:
Last Closed: 2019-06-10 10:28:27 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1948 0 None None None 2018-06-19 19:27:14 UTC
Red Hat Product Errata RHSA-2018:1949 0 None None None 2018-06-19 19:27:57 UTC
Red Hat Product Errata RHSA-2018:2022 0 None None None 2018-06-26 17:12:40 UTC
Red Hat Product Errata RHSA-2018:2079 0 None None None 2018-06-27 10:04:25 UTC
Red Hat Product Errata RHSA-2018:2184 0 None None None 2018-07-12 13:14:43 UTC
Red Hat Product Errata RHSA-2018:2585 0 None None None 2018-08-29 16:05:26 UTC
Red Hat Product Errata RHSA-2019:0054 0 None None None 2019-01-16 17:10:05 UTC

Description Sam Fowler 2018-06-08 00:14:19 UTC 
Ansible through version 2.5 does not properly honour the no_log option with failed task iterations. When a list of secret items is supplied to a task and a task iteration fails, secrets can be disclosed in logs despite the no_log option being enabled.
Comment 4 Toshio Kuratomi 2018-06-08 16:03:17 UTC 
We have a fix for this issue upstream
Comment 7 Sam Fowler 2018-06-11 03:05:21 UTC 
Acknowledgments:

Name: Tobias Henkel (BMW Car IT GmbH)
Comment 8 Toshio Kuratomi 2018-06-11 21:02:35 UTC 
After talking to btarasso, we have pushed out a PR to address this: https://github.com/ansible/ansible/pull/41414  Will be merging that and backporting to stbale-2.4 stable-2.5 and stable-2.6 branches.  Releases or release candidates with the fix applied will then be released from those branches.
Comment 9 Borja Tarraso 2018-06-12 08:06:43 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1590199]
Affects: fedora-all [bug 1590200]
Comment 10 Toshio Kuratomi 2018-06-12 15:04:50 UTC 
I talked to bcoca about the upstream changelog entry for this today and he let me know that iteration is not necessary to provoke this bug.  It is provoked by some (but not all) exceptions raised by a connection plugin.  This will be the text of our changelog entry:

"Some connection exceptions would cause no_log specified on a task to be ignored.  If this happened, the task information, including any private information could have been displayed to stdout and (if enabled, not the default) logged to a log file specified in ansible.cfg's log_path.  Additionally, sites which redirected stdout from ansible runs to a log file may have stored that private information onto disk that way as well"
Comment 20 errata-xmlrpc 2018-06-19 19:26:41 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2018:1948 https://access.redhat.com/errata/RHSA-2018:1948
Comment 21 errata-xmlrpc 2018-06-19 19:27:03 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.5 for RHEL 7

Via RHSA-2018:1949 https://access.redhat.com/errata/RHSA-2018:1949
Comment 22 errata-xmlrpc 2018-06-19 19:27:35 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.5 for RHEL 7

Via RHSA-2018:1949 https://access.redhat.com/errata/RHSA-2018:1949
Comment 24 Doran Moppert 2018-06-26 05:00:48 UTC 
External References:

https://github.com/ansible/ansible/pull/41414
Comment 25 errata-xmlrpc 2018-06-26 17:12:14 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.4 for RHEL 7

Via RHSA-2018:2022 https://access.redhat.com/errata/RHSA-2018:2022
Comment 26 errata-xmlrpc 2018-06-27 10:04:01 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2018:2079 https://access.redhat.com/errata/RHSA-2018:2079
Comment 27 errata-xmlrpc 2018-07-12 13:14:13 UTC 
This issue has been addressed in the following products:

  CloudForms Management Engine 5.9

Via RHSA-2018:2184 https://access.redhat.com/errata/RHSA-2018:2184
Comment 33 errata-xmlrpc 2018-08-29 16:05:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2018:2585 https://access.redhat.com/errata/RHSA-2018:2585
Comment 34 errata-xmlrpc 2019-01-16 17:10:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:0054 https://access.redhat.com/errata/RHSA-2019:0054
Comment 35 Hardik Vyas 2020-12-04 15:30:18 UTC 
Statement:

Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository.
Note You need to log in before you can comment on or make changes to this bug.