1847843 – (CVE-2020-10782) CVE-2020-10782 Tower: rsyslog configuration has world readable permissions

Bug 1847843 (CVE-2020-10782) - CVE-2020-10782 Tower: rsyslog configuration has world readable permissions

Summary: CVE-2020-10782 Tower: rsyslog configuration has world readable permissions

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-10782
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1847947
Blocks:	1847831
TreeView+	depends on / blocked

Reported:	2020-06-17 08:01 UTC by Borja Tarraso
Modified:	2021-02-16 19:52 UTC (History)
CC List:	9 users (show)
Fixed In Version:	ansible_tower 3.7.1
Doc Type:	If docs needed, set a value
Doc Text:	An exposure of sensitive information flaw was found in Ansible. Sensitive information, such tokens and other secrets could be readable and exposed from the rsyslog configuration file, which has set the wrong world-readable permissions. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed:	2020-06-19 05:20:40 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:2617	0	None	None	None	2020-06-19 01:40:16 UTC

Description Borja Tarraso 2020-06-17 08:01:49 UTC

The /var/lib/awx/rsyslog/rsyslog.conf has world readable permissions which could store some secrets such as the Splunk token. Rsyslog configuration file permissions must be set to 640 instead of 644.

Comment 1 Borja Tarraso 2020-06-17 08:01:53 UTC

Statement:

* Ansible Tower 3.7.0 is affected.

Comment 5 RaTasha Tillery-Smith 2020-06-17 13:36:04 UTC

Mitigation:

Setting manual permissions for the rsyslog.conf file to 0640 would mitigate the issue temporarily. However, be aware that every time the Tower services are restarted, the permissions are restored to 644 after some time.

Comment 6 errata-xmlrpc 2020-06-19 01:40:14 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Tower 3.7 for RHEL 7

Via RHSA-2020:2617 https://access.redhat.com/errata/RHSA-2020:2617

Comment 7 Product Security DevOps Team 2020-06-19 05:20:40 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10782

Comment 8 bsterne 2020-07-07 23:12:07 UTC

It may be helpful to update the Doc Text for this bug to reference "service provisioning tokens" or similar rather than "Splunk tokens", as this is a bug in Ansible Tower, not Splunk. Splunk users may be unnecessarily alarmed by the current Doc Text, particularly if they are not also Ansible Tower users.

Comment 9 Borja Tarraso 2020-07-09 11:52:10 UTC

In reply to comment #8:
> It may be helpful to update the Doc Text for this bug to reference "service
> provisioning tokens" or similar rather than "Splunk tokens", as this is a
> bug in Ansible Tower, not Splunk. Splunk users may be unnecessarily alarmed
> by the current Doc Text, particularly if they are not also Ansible Tower
> users.

Hi Brandon,

You are right, the statement may lead in some unnecessary confusion. The intention was to give to end customers a possible threat of this flaw, by giving an specific example to them. I updated the doc-text to be more generic, so there is no room for a doubt.

Many thanks for your suggestion, it is really appreciated.

Borja Tarraso
Red Hat Product Security

Comment 10 bsterne 2020-07-09 16:53:19 UTC

Thanks very much, Borja!

Note You need to log in before you can comment on or make changes to this bug.