Bug 1811008 (CVE-2020-1753) - CVE-2020-1753 Ansible: kubectl connection plugin leaks sensitive information
Summary: CVE-2020-1753 Ansible: kubectl connection plugin leaks sensitive information
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-1753
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1811014 1811891 1811012 1811013 1811015 1811016 1811017 1811018 1811019 1811892 1811933 1811934
Blocks: 1808553
TreeView+ depends on / blocked
 
Reported: 2020-03-06 12:06 UTC by Borja Tarraso
Modified: 2020-05-13 16:11 UTC (History)
25 users (show)

Fixed In Version: ansible-engine 2.7.18, ansible-engine 2.8.11, ansible-engine 2.9.7
Doc Type: If docs needed, set a value
Doc Text:
A security flaw was found in the Ansible Engine when managing Kubernetes using the k8s connection plugin. Sensitive parameters such as passwords and tokens are passed to the kubectl command line instead of using environment variables or an input configuration file, which is safer. This flaw discloses passwords and tokens from the process list, and the no_log directive from the debug module would not be reflected in the underlying command-line tools options, displaying passwords and tokens on stdout and log files.
Clone Of:
Environment:
Last Closed: 2020-04-22 16:32:17 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1541 None None None 2020-04-22 14:09:27 UTC
Red Hat Product Errata RHSA-2020:1542 None None None 2020-04-22 14:09:45 UTC
Red Hat Product Errata RHSA-2020:2142 None None None 2020-05-13 16:11:37 UTC

Description Borja Tarraso 2020-03-06 12:06:10 UTC
When the user configures 'kubectl' Ansible connection plugin to connect to Kubernetes and uses environment variables such as 'K8S_AUTH_PASSWORD' and 'K8S_AUTH_TOKEN' are revealed in stdout with verbose mode, logs and visible through process list.

Comment 2 Borja Tarraso 2020-03-06 12:30:56 UTC
Acknowledgments:

Name: Abhijeet Kasurde (Red Hat)

Comment 5 Summer Long 2020-03-10 04:43:57 UTC
Created ansible tracking bugs for this issue:

Affects: openstack-rdo [bug 1811892]

Comment 8 Borja Tarraso 2020-03-10 09:19:29 UTC
Mitigation:

Currently, there is no mitigation for this issue.

Comment 9 Borja Tarraso 2020-03-10 09:22:04 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1811933]
Affects: fedora-all [bug 1811934]

Comment 11 Borja Tarraso 2020-03-11 16:07:23 UTC
Upstream fix: https://github.com/ansible-collections/kubernetes/pull/51

Comment 19 Yadnyawalk Tale 2020-03-24 12:26:08 UTC
Removing CloudForms from affects list. CloudForms 5.10 & 5.11 both subscribe to Ansible repos, so we do not need to include cfme5/ansible-tower in affects nor file trackers. ansible_engine/ansible_tower affects entries are sufficient to inform Cloudforms customers.

Comment 21 Hardik Vyas 2020-03-30 11:45:39 UTC
kubectl connection plugin is not present in the older version of ansible shipped by Ceph and Gluster. Latest anisble version is pulled from core Ansible repo.

Comment 22 errata-xmlrpc 2020-04-22 14:09:25 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 7
  Red Hat Ansible Engine 2.9 for RHEL 8

Via RHSA-2020:1541 https://access.redhat.com/errata/RHSA-2020:1541

Comment 23 errata-xmlrpc 2020-04-22 14:09:43 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2020:1542 https://access.redhat.com/errata/RHSA-2020:1542

Comment 24 Product Security DevOps Team 2020-04-22 16:32:17 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1753

Comment 25 Borja Tarraso 2020-05-13 05:18:17 UTC
Statement:

Ansible Engine 2.7.17, 2.8.10, and 2.9.6 as well as previous versions are affected.

Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.

Comment 26 errata-xmlrpc 2020-05-13 16:11:35 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.7 for RHEL 7

Via RHSA-2020:2142 https://access.redhat.com/errata/RHSA-2020:2142


Note You need to log in before you can comment on or make changes to this bug.