Bug 1802085 (CVE-2020-1735) - CVE-2020-1735 ansible: path injection on dest parameter in fetch module
Summary: CVE-2020-1735 ansible: path injection on dest parameter in fetch module
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-1735
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1807429 1814767 1804365 1804366 1804367 1804368 1805333 1805336 1805358 1805359 1805360 1805361 1805494 1807875
Blocks: 1801714
TreeView+ depends on / blocked
 
Reported: 2020-02-12 10:42 UTC by Borja Tarraso
Modified: 2020-05-21 19:05 UTC (History)
38 users (show)

Fixed In Version: ansible-engine 2.7.17, ansible-engine 2.8.11, ansible-engine 2.9.7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node.
Clone Of:
Environment:
Last Closed: 2020-04-22 16:31:53 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:2150 None None None 2020-05-14 11:25:02 UTC
Red Hat Product Errata RHBA-2020:2251 None None None 2020-05-21 19:05:01 UTC
Red Hat Product Errata RHSA-2020:1541 None None None 2020-04-22 14:09:15 UTC
Red Hat Product Errata RHSA-2020:1542 None None None 2020-04-22 14:09:33 UTC
Red Hat Product Errata RHSA-2020:1543 None None None 2020-04-22 14:09:57 UTC
Red Hat Product Errata RHSA-2020:1544 None None None 2020-04-22 14:10:10 UTC

Description Borja Tarraso 2020-02-12 10:42:10 UTC
When using the fetch module, a path injection allows a remote user to choose the destination path on the controller node. This vulnerability could be an insufficient patch of CVE-2019-3828.

Comment 2 Borja Tarraso 2020-02-17 12:57:56 UTC
Acknowledgments:

Name: Damien Aumaitre (Quarkslab), Nicolas Surbayrole (Quarkslab)

Comment 4 Salvatore Bonaccorso 2020-02-19 07:26:35 UTC
Borja, I'm sorry I know I'm bit repetitive for all the respective issues for ansible CVE-2020-1735 up to CVE-2020-1740. It would be nice to get an idea for other downstream which versions are affected or if upstream is aware of those and working on fixes or if there are upstream issues to be tracked.

Any information on any of those? I have added NEEDINFO flags respectively for reach. Would it be possible to provide this further information?

Comment 5 Borja Tarraso 2020-02-20 16:50:47 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1805336]
Affects: fedora-all [bug 1805333]

Comment 6 Borja Tarraso 2020-02-20 17:02:33 UTC
Hey Salvatore, I am working to provide additional information regarding this issue; more details as you requested, affected versions as well as upstream links in case we already have. Prioritising this for now, I will get back to you asap.

In reply to comment #4:
> Borja, I'm sorry I know I'm bit repetitive for all the respective issues for
> ansible CVE-2020-1735 up to CVE-2020-1740. It would be nice to get an idea
> for other downstream which versions are affected or if upstream is aware of
> those and working on fixes or if there are upstream issues to be tracked.
> 
> Any information on any of those? I have added NEEDINFO flags respectively
> for reach. Would it be possible to provide this further information?

Comment 9 Yadnyawalk Tale 2020-02-20 22:44:11 UTC
Red Hat CloudForms Management Engine 5.9 is in maintenance phase and we're no longer fixing "Medium" severity CVEs.

Comment 12 Borja Tarraso 2020-02-25 14:05:36 UTC
Mitigation:

Currently, there is no mitigation for this issue except avoid using the affected fetch module when possible.

Comment 14 Borja Tarraso 2020-02-27 10:25:50 UTC
Upstream fix: https://github.com/ansible/ansible/issues/67793

Comment 15 Borja Tarraso 2020-02-27 12:19:29 UTC
Created ansible tracking bugs for this issue:

Affects: openstack-rdo [bug 1807875]

Comment 16 Hardik Vyas 2020-03-18 16:08:47 UTC
Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains its own version of Ansible. The fix will be provided from core Ansible. But we still ship ansible separately for ceph ubuntu.

Comment 18 Borja Tarraso 2020-03-27 07:23:57 UTC
Statement:

Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.

Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.

Comment 19 errata-xmlrpc 2020-04-22 14:09:13 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 7
  Red Hat Ansible Engine 2.9 for RHEL 8

Via RHSA-2020:1541 https://access.redhat.com/errata/RHSA-2020:1541

Comment 20 errata-xmlrpc 2020-04-22 14:09:31 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2020:1542 https://access.redhat.com/errata/RHSA-2020:1542

Comment 21 errata-xmlrpc 2020-04-22 14:09:54 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.8 for RHEL 7
  Red Hat Ansible Engine 2.8 for RHEL 8

Via RHSA-2020:1543 https://access.redhat.com/errata/RHSA-2020:1543

Comment 22 errata-xmlrpc 2020-04-22 14:10:07 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.7 for RHEL 7

Via RHSA-2020:1544 https://access.redhat.com/errata/RHSA-2020:1544

Comment 23 Product Security DevOps Team 2020-04-22 16:31:53 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1735

Comment 24 Yadnyawalk Tale 2020-05-11 09:38:38 UTC
CloudForms 5.11 do not use ansible-tower and 5.10 only using ansible-tower-venv-ansible atm.


Note You need to log in before you can comment on or make changes to this bug.