Bug 1640642 – CVE-2018-16837 Ansible: Information leak in "user" module

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1640642 - (CVE-2018-16837) CVE-2018-16837 Ansible: Information leak in "user" module

Summary:	CVE-2018-16837 Ansible: Information leak in "user" module

Status:	NEW

Aliases:	CVE-2018-16837

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20181023:0646,...
Keywords:	Security

Depends On:	1644841 1644843 1644844 1644845
Blocks:	1640345
	Show dependency tree / graph

Reported:	2018-10-18 09:14 EDT by Borja Tarraso
Modified:	2018-11-02 09:18 EDT (History)
CC List:	9 users (show)

See Also:
Fixed In Version:	ansible-engine 2.7.1, ansible-engine 2.6.7, ansible-engine 2.5.11
Doc Type:	If docs needed, set a value
Doc Text:	The User module in Ansible leaks any data which is passed on as a parameter to ssh-keygen. This could lead to undesirable situations such as passphrase credentials being passed as a parameter for the ssh-keygen executable, showing those credentials in clear text form for every user which have access just to the process list.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Borja Tarraso 2018-10-18 09:14:22 EDT

"User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.

Comment 1 Borja Tarraso 2018-10-18 09:14:26 EDT

Acknowledgments:

Name: Markus Teufelberger (mgIT Consulting)

Comment 4 Salvatore Bonaccorso 2018-10-24 14:52:02 EDT

Is there any more information on e.g. upstream fix for this issue? Upstream issue reference?

Comment 5 Borja Tarraso 2018-10-25 04:33:12 EDT

In reply to comment 4:
> Is there any more information on e.g. upstream fix for this issue? Upstream
> issue reference?

Here it is: https://github.com/ansible/ansible/pull/47436

Comment 6 Borja Tarraso 2018-10-25 06:16:28 EDT

External References:

https://github.com/ansible/ansible/pull/47436

Comment 7 Chad Scribner 2018-10-30 12:15:31 EDT

Hi Borja,

Are there any blockers to getting https://github.com/ansible/ansible/pull/47487 merged in?  I have a customer interested to know when they can expected the fixes for 2.5, 2.6, and 2.7 to be released via errata.

Comment 9 Borja Tarraso 2018-10-31 13:17:07 EDT

In reply to comment 7:
> Hi Borja,
> 
> Are there any blockers to getting
> https://github.com/ansible/ansible/pull/47487 merged in?  I have a customer
> interested to know when they can expected the fixes for 2.5, 2.6, and 2.7 to
> be released via errata.

We expect to have it by today the fix for all versions, depends of how stable are the tests if I am not wrong. For 2.7 it has been already fixed. Erratas should be soon there.

Note You need to log in before you can comment on or make changes to this bug.