Bug 1805491 (CVE-2020-1746) - CVE-2020-1746 ansible: Information disclosure issue in ldap_attr and ldap_entry modules
Summary: CVE-2020-1746 ansible: Information disclosure issue in ldap_attr and ldap_ent...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-1746
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1809393 1818699 1808470 1808471 1808472 1808474 1808475 1808476 1808477 1808478 1808479 1808480 1808481 1810200
Blocks: 1805492
TreeView+ depends on / blocked
 
Reported: 2020-02-20 21:34 UTC by Pedro Sampaio
Modified: 2020-05-22 18:18 UTC (History)
35 users (show)

Fixed In Version: ansible-engine 2.7.17, ansible-engine 2.8.11, ansible-engine 2.9.7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Ansible Engine when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.
Clone Of:
Environment:
Last Closed: 2020-04-22 16:32:09 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:2150 None None None 2020-05-14 11:25:11 UTC
Red Hat Product Errata RHBA-2020:2251 None None None 2020-05-21 19:05:08 UTC
Red Hat Product Errata RHSA-2020:1541 None None None 2020-04-22 14:09:21 UTC
Red Hat Product Errata RHSA-2020:1542 None None None 2020-04-22 14:09:45 UTC
Red Hat Product Errata RHSA-2020:1543 None None None 2020-04-22 14:10:03 UTC
Red Hat Product Errata RHSA-2020:1544 None None None 2020-04-22 14:10:22 UTC

Description Pedro Sampaio 2020-02-20 21:34:18 UTC
A flaw was found in ldap_attr and ldap_entry community modules for Ansbile. This issue discloses the LDAP bind password to stdout or a log file if
a playbook task is written using the bind_pw in the parameters field since nothing in the params field is evaluated for sensitive data.

Comment 2 Borja Tarraso 2020-02-28 15:34:46 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1808472]
Affects: fedora-all [bug 1808471]
Affects: openstack-rdo [bug 1808470]

Comment 6 Toshio Kuratomi 2020-02-28 17:44:52 UTC
Upstream fix: https://github.com/ansible/ansible/pull/67866

Comment 7 Toshio Kuratomi 2020-02-28 17:47:35 UTC
A workaround was posted by felixfontein.  Playbooks can be rewritten like this:

 # Set the following variable somewhere:
 # ldap_auth:
 #   server_uri: ldap://localhost/
 #   bind_dn: cn=admin,dc=example,dc=com
 #   bind_pw: password
 #
 # In the example below, 'args' is a task keyword, passed at the same level as the module
 - name: Get rid of an unneeded attribute
   ldap_attr:
     dn: uid=jdoe,ou=people,dc=example,dc=com
     name: shadowExpire
     values: []
     state: exact
   args: "{{ ldap_auth }}"

Comment 10 Borja Tarraso 2020-03-04 16:09:23 UTC
Mitigation:

Using args keyword and embedding the ldap_auth variable instead of using bind_pw parameter would mitigate this issue.

Comment 13 Borja Tarraso 2020-03-27 07:32:44 UTC
Acknowledgments:

Name: Felix Fountein

Comment 14 Hardik Vyas 2020-03-30 06:45:56 UTC
Statement:

* Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.
* Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.
* Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains their own version of Ansible. The fix will be provided from core Ansible. But we still ship ansible separately for ceph ubuntu.

Comment 16 errata-xmlrpc 2020-04-22 14:09:19 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 7
  Red Hat Ansible Engine 2.9 for RHEL 8

Via RHSA-2020:1541 https://access.redhat.com/errata/RHSA-2020:1541

Comment 17 errata-xmlrpc 2020-04-22 14:09:42 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2020:1542 https://access.redhat.com/errata/RHSA-2020:1542

Comment 18 errata-xmlrpc 2020-04-22 14:10:01 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.8 for RHEL 7
  Red Hat Ansible Engine 2.8 for RHEL 8

Via RHSA-2020:1543 https://access.redhat.com/errata/RHSA-2020:1543

Comment 19 errata-xmlrpc 2020-04-22 14:10:19 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.7 for RHEL 7

Via RHSA-2020:1544 https://access.redhat.com/errata/RHSA-2020:1544

Comment 20 Product Security DevOps Team 2020-04-22 16:32:09 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1746


Note You need to log in before you can comment on or make changes to this bug.