Bug 1755373 (CVE-2019-14846) - CVE-2019-14846 ansible: secrets disclosed on logs when no_log enabled
Summary: CVE-2019-14846 ansible: secrets disclosed on logs when no_log enabled
Keywords:
Status: NEW
Alias: CVE-2019-14846
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1755513 1755514 1755515 1755516 1755795 1755796 1755797
Blocks: 1755369
TreeView+ depends on / blocked
 
Reported: 2019-09-25 11:33 UTC by Borja Tarraso
Modified: 2019-10-18 01:07 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Ansible was logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Borja Tarraso 2019-09-25 11:33:47 UTC
Secrets are disclosed on logs due to display is hardcoded to DEBUG level. This causes 'no_log’ parameter is ignored on tasks.

Comment 4 Borja Tarraso 2019-10-08 07:18:26 UTC
Acknowledgments:

Name: Paul Milbank (Pushpay Site Reliability Engineering), Harvey Rendell (Pushpay Site Reliability Engineering), Tom Henderson (Pushpay Site Reliability Engineering)

Comment 5 Salvatore Bonaccorso 2019-10-09 13:10:59 UTC
Hi

Is there any related upstream issue related to this issue or further information? The dependent issues are currently not accessible and we would like to determine which ansible versions in Debian are affected by this CVE.

Regards,
Salvatore

Comment 6 Toshio Kuratomi 2019-10-11 02:41:24 UTC
It almost certainly does.  Here's the upstream fix: https://github.com/ansible/ansible/pull/63366


Note You need to log in before you can comment on or make changes to this bug.