1818924 – (CVE-2020-10698) CVE-2020-10698 Tower: normal users can intercept stdout from jobs running in other organizations

Bug 1818924 (CVE-2020-10698) - CVE-2020-10698 Tower: normal users can intercept stdout from jobs running in other organizations

Summary: CVE-2020-10698 Tower: normal users can intercept stdout from jobs running in ...

Keywords:
Status:	NEW
Alias:	CVE-2020-10698
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1818925 1818926 1818927
Blocks:	1818771
TreeView+	depends on / blocked

Reported:	2020-03-30 17:38 UTC by Borja Tarraso
Modified:	2023-12-01 13:42 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ansible_tower 3.6.4, ansible_tower 3.5.6, ansible_tower 3.4.6
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Ansible Tower when running jobs. This flaw allows an attacker to access the stdout of the executed jobs which are run from other organizations. Some sensible data can be disclosed. However, critical data should not be disclosed, as it should be protected by the no_log flag when debugging is enabled.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Borja Tarraso 2020-03-30 17:38:27 UTC

Ansible Tower should prevent ws group subscription if not specified in the valid format. Otherwise this would allow normal users intercept stdout from jobs running in other organizations.

Comment 1 Borja Tarraso 2020-03-30 17:38:32 UTC

Acknowledgments:

Name: Ryan Petrello (Red Hat)

Comment 2 Borja Tarraso 2020-03-30 17:38:35 UTC

Statement:

Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.

Comment 6 Borja Tarraso 2020-03-30 17:53:02 UTC

Mitigation:

This issue is possible to mitigate by disabling the stdout from jobs run through the nginx configuration file. However this may affect the usage of Tower as stdout stream would be hidden. To disable the output of running jobs the entire 'location /websocket' block from the nginx configuration (and restarting nginx service) it would be required. Nginx will stop serving /websocket by 404 HTTP code return.

Comment 7 Borja Tarraso 2020-03-30 18:18:41 UTC

awx link: https://github.com/ansible/awx/pull/6465

Note You need to log in before you can comment on or make changes to this bug.