Bug 1869154 (CVE-2020-14365) - CVE-2020-14365 ansible: dnf module install packages with no GPG signature
Summary: CVE-2020-14365 ansible: dnf module install packages with no GPG signature
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-14365
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1869155 1869156 1869157 1869158 1869159 1869160
Blocks: 1867550
TreeView+ depends on / blocked
 
Reported: 2020-08-17 06:03 UTC by Borja Tarraso
Modified: 2021-06-16 01:16 UTC (History)
29 users (show)

Fixed In Version: ansible-engine 2.8.15, ansible-engine 2.9.13
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Ansible Engine when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.
Clone Of:
Environment:
Last Closed: 2020-09-02 01:17:27 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:3729 0 None None None 2020-09-14 09:23:02 UTC
Red Hat Product Errata RHBA-2020:4164 0 None None None 2020-10-01 15:57:26 UTC
Red Hat Product Errata RHSA-2020:3600 0 None None None 2020-09-01 19:31:02 UTC
Red Hat Product Errata RHSA-2020:3601 0 None None None 2020-09-01 19:31:41 UTC
Red Hat Product Errata RHSA-2020:3602 0 None None None 2020-09-01 19:32:19 UTC

Description Borja Tarraso 2020-08-17 06:03:31 UTC 
The dnf ansible module is not checking GPG signatures when installing packages. This allows installing malicious packages previously stored in the dnf repository. This could lead in an integrity problem and service availability disruption.
Comment 2 Borja Tarraso 2020-08-17 06:03:39 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 6 Borja Tarraso 2020-08-21 08:14:28 UTC 
Acknowledgments:

Name: Bruno Travouillon (Atos)
Comment 11 errata-xmlrpc 2020-09-01 19:30:59 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.8 for RHEL 7
  Red Hat Ansible Engine 2.8 for RHEL 8

Via RHSA-2020:3600 https://access.redhat.com/errata/RHSA-2020:3600
Comment 12 errata-xmlrpc 2020-09-01 19:31:39 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 8
  Red Hat Ansible Engine 2.9 for RHEL 7

Via RHSA-2020:3601 https://access.redhat.com/errata/RHSA-2020:3601
Comment 13 errata-xmlrpc 2020-09-01 19:32:16 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2020:3602 https://access.redhat.com/errata/RHSA-2020:3602
Comment 15 Product Security DevOps Team 2020-09-02 01:17:27 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14365
Comment 26 Borja Tarraso 2020-11-03 07:40:40 UTC 
Statement:

Ansible Engine 2.8.14 and 2.9.12 as well as previous versions versions are affected.

Ansible Tower 3.7.2 and 3.6.5 as well as previous versions are affected for containerized versions and has been fixed indirectly in the 3.6.6 and 3.7.3 releases. For non-containerized Ansible Tower versions, the fix is provided via yum update or yum install.

Red Hat Gluster Storage(RHGS) 3, Red Hat Ceph Storage (RHCS) 2 and 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository. As RHCS 2 and 3 do not use dnf, impact rating is reduced to Low. RHCS still ship ansible separately for Ceph on Ubuntu, but Ubuntu is not impacted by this vulnerability as it uses apt instead of dnf.

Red Hat OpenStack Platform 10 and 13 ship a vulnerable version of Ansible, however installation of packages is done via yum instead of dnf so this flaw will have no effect.
Note You need to log in before you can comment on or make changes to this bug.