Bug 1760829 (CVE-2019-14856) - CVE-2019-14856 ansible: Incomplete fix for CVE-2019-10206
Summary: CVE-2019-14856 ansible: Incomplete fix for CVE-2019-10206
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14856
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1760839 1760840 1760841 1760842 1763738 1775632 1775633 1775634 1775635 1779889 1779890
Blocks: 1760830
TreeView+ depends on / blocked
 
Reported: 2019-10-11 12:33 UTC by Pedro Sampaio
Modified: 2020-12-04 16:24 UTC (History)
34 users (show)

Fixed In Version: ansible-engine 2.8.6, ansible-engine 2.7.14, ansible-engine 2.6.20
Doc Type: If docs needed, set a value
Doc Text:
The fix for CVE-2019-10206 was found to be incomplete for the data disclosure flaw in ansible. Password prompts in ansible-playbook and ansible-cli tools could expose passwords with special characters as they are not properly wrapped. A password with special characters is exposed starting with the first of these special characters. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed: 2019-10-25 00:51:24 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3864 0 None None None 2019-11-13 04:59:45 UTC
Red Hat Product Errata RHBA-2019:3947 0 None None None 2019-11-25 08:55:11 UTC
Red Hat Product Errata RHSA-2019:3201 0 None None None 2019-10-24 13:01:29 UTC
Red Hat Product Errata RHSA-2019:3202 0 None None None 2019-10-24 13:01:12 UTC
Red Hat Product Errata RHSA-2019:3203 0 None None None 2019-10-24 13:06:51 UTC
Red Hat Product Errata RHSA-2019:3207 0 None None None 2019-10-24 14:27:30 UTC
Red Hat Product Errata RHSA-2020:0756 0 None None None 2020-03-10 11:21:43 UTC

Description Pedro Sampaio 2019-10-11 12:33:55 UTC 
The fix made in Ansible for CVE-2019-10206 was not sufficient to resolve the problem.
Comment 2 Salvatore Bonaccorso 2019-10-12 07:08:32 UTC 
For reference this is https://github.com/ansible/ansible/pull/63351 upstream.
Comment 3 Toshio Kuratomi 2019-10-14 15:54:22 UTC 
Also note, the backports will be smaller.  The fix in devel makes two changes which are independently sufficient to fix the problem.  The backport will only include one of them.
Comment 4 Hardik Vyas 2019-10-21 13:38:17 UTC 
Vulnerable code from CVE-2019-10206 was included in the version of Ansible shipped with Ceph and Gluster.

Gluster uses Ansible package from Ansible repository and hence it will consume fixes from core Ansible. For Ceph-3 we still maintain Ansible atleast for Ubuntu, Ceph-2 is about to reach end of life in December 2019.
Comment 6 errata-xmlrpc 2019-10-24 13:01:10 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.7 for RHEL 7

Via RHSA-2019:3202 https://access.redhat.com/errata/RHSA-2019:3202
Comment 7 errata-xmlrpc 2019-10-24 13:01:27 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.6 for RHEL 7

Via RHSA-2019:3201 https://access.redhat.com/errata/RHSA-2019:3201
Comment 8 errata-xmlrpc 2019-10-24 13:06:49 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.8 for RHEL 7
  Red Hat Ansible Engine 2.8 for RHEL 8

Via RHSA-2019:3203 https://access.redhat.com/errata/RHSA-2019:3203
Comment 9 errata-xmlrpc 2019-10-24 14:27:28 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2019:3207 https://access.redhat.com/errata/RHSA-2019:3207
Comment 10 Product Security DevOps Team 2019-10-25 00:51:24 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14856
Comment 12 Borja Tarraso 2019-11-22 13:04:17 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-6 [bug 1775632]
Affects: epel-7 [bug 1775633]
Affects: fedora-all [bug 1775634]
Affects: openstack-rdo [bug 1775635]
Comment 14 Nick Tait 2019-12-06 00:17:42 UTC 
RHOSP fixes will be consumed from platforms.
Comment 17 errata-xmlrpc 2020-03-10 11:21:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)
  Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS

Via RHSA-2020:0756 https://access.redhat.com/errata/RHSA-2020:0756
Comment 22 Yadnyawalk Tale 2020-04-22 10:23:18 UTC 
Red Hat CloudForms 5.10 (4.7) and 5.11 (5.0) do not ship `ansible` package, it is provided by the official Ansible repository.
Note You need to log in before you can comment on or make changes to this bug.