Ansible is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.
Upstream issue: https://github.com/ansible/ansible/issues/63522 Upstream fix: https://github.com/ansible/ansible/pull/63527
Acknowledgments: Name: Abhijeet Kasurde (Red Hat), Patrick O’Brien (The Trade Desk Inc)
Created ansible tracking bugs for this issue: Affects: epel-6 [bug 1774003] Affects: epel-7 [bug 1774004] Affects: fedora-all [bug 1774005] Affects: openstack-rdo [bug 1774007]
This issue has been addressed in the following products: Red Hat Ansible Engine 2.7 for RHEL 7 Via RHSA-2019:3925 https://access.redhat.com/errata/RHSA-2019:3925
This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 7 Red Hat Ansible Engine 2 for RHEL 8 Via RHSA-2019:3928 https://access.redhat.com/errata/RHSA-2019:3928
This issue has been addressed in the following products: Red Hat Ansible Engine 2.9 for RHEL 7 Red Hat Ansible Engine 2.9 for RHEL 8 Via RHSA-2019:3927 https://access.redhat.com/errata/RHSA-2019:3927
This issue has been addressed in the following products: Red Hat Ansible Engine 2.8 for RHEL 7 Red Hat Ansible Engine 2.8 for RHEL 8 Via RHSA-2019:3926 https://access.redhat.com/errata/RHSA-2019:3926
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14864
Statement: * The exploitation of this flaw depends on the use of either Sumo Logic or Splunk callback plugins. However, because Red Hat OpenStack Platform (RHOSP) does not use Sumo Logic or Splunk, Red Hat will not be providing a fix for RHOSP Ansible at this time. * Red Hat Gluster Storage no more maintains its own version of Ansible, pre-requisite is to enable ansible repository. The fix will be consumed from core Ansible. * Ansible Tower’s Splunk logging integration uses the Splunk HTTP Collector and Ansible Engine. * The exploitation of this flaw depends on the use of either Sumo Logic or Splunk callback plugins. However, because Red Hat Satellite 6.4 and 6.5 do not use Sumo Logic or Splunk, Red Hat will not be providing a fix for Satellite 6.4 and 6.5 and Ansible at this time. Users may upgrade to Satellite 6.6 or later which includes the resolution to this bug if desired.
Red Hat CloudForms 5.10 (4.7) and 5.11 (5.0) do not ship `ansible` package, it is provided by the official Ansible repository.