The vault subsystem in Ansible before 1.5.5 does not set the umask before creation or modification of a vault file, which allows local users to obtain sensitive key information by reading a file. References: https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md https://www.securityfocus.com/bid/68233
Created ansible tracking bugs for this issue: Affects: epel-all [bug 1831260] Affects: fedora-all [bug 1831259]
Red Hat CloudForms 5.10 (4.7) and 5.11 (5.0) do not ship `ansible` package, it is provided by the official Ansible repository.
This is a bug for Ansible 1.5.4 and previous versions, really old, and fixed on 1.5.5 and after long time ago, when it was Ansible Core. Currently we support 2.9.x, 2.8.x, and 2.7.x. and from 2.4 it is called Ansible Engine. So Ansible in all supported current versions is not affected.
Red Hat Ceph Storage and Red Hat Gluster Storage shipped ansible versions 2.4.1 and 2.3.2 respectively, which are not affected by this vulnerability.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2014-4658