Bug 1939349 (CVE-2021-3447) - CVE-2021-3447 ansible: multiple modules expose secured values
Summary: CVE-2021-3447 ansible: multiple modules expose secured values
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3447
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1939444 1939448 1939449 1939440 1939441 1939445 1939446 1939447
Blocks: 1938335 1939694
TreeView+ depends on / blocked
 
Reported: 2021-03-16 07:57 UTC by Tapas Jena
Modified: 2021-04-22 21:06 UTC (History)
41 users (show)

Fixed In Version: Red Hat Ansible Automation Platform 1.2.2, Ansible Tower 3.8.2
Doc Type: ---
Doc Text:
A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed: 2021-04-09 17:35:11 UTC


Attachments (Terms of Use)

Description Tapas Jena 2021-03-16 07:57:05 UTC
A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality.

Comment 3 Tapas Jena 2021-03-16 12:15:32 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1939440]
Affects: fedora-all [bug 1939441]
Affects: openstack-rdo [bug 1939444]

Comment 5 Borja Tarraso 2021-03-17 06:36:04 UTC
Acknowledgments:

Name: John Barker (Red Hat), Felix Fontein, Chen Zhi (Zhejiang University)

Comment 6 Salvatore Bonaccorso 2021-03-20 07:53:45 UTC
Hi

As I would like to try to track this in right way as well in another downstream, do you know if this has an upstream issue reported?

Regards,

Comment 7 Tapas Jena 2021-03-24 15:41:58 UTC
Hi,

I checked about the above asked and found no trace of any upstream issue report.However, I am not completely sure as of now.

Kind Regards,
Tapas J

Comment 9 amctagga 2021-03-29 15:20:50 UTC
Statement:

Red Hat Gluster Storage 3 no longer maintains its own version of ansible, prerequisite is to enable ansible repository in order to consume the latest version of ansible which has many bug and security fixes.

Comment 10 errata-xmlrpc 2021-04-06 13:20:55 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 1.2 for RHEL 7

Via RHSA-2021:1079 https://access.redhat.com/errata/RHSA-2021:1079

Comment 11 Product Security DevOps Team 2021-04-09 17:35:11 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3447

Comment 12 errata-xmlrpc 2021-04-22 21:05:48 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 8
  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2021:1342 https://access.redhat.com/errata/RHSA-2021:1342

Comment 13 errata-xmlrpc 2021-04-22 21:06:31 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 8
  Red Hat Ansible Engine 2.9 for RHEL 7

Via RHSA-2021:1343 https://access.redhat.com/errata/RHSA-2021:1343


Note You need to log in before you can comment on or make changes to this bug.