Bug 1977965 (CVE-2021-3702) - CVE-2021-3702 ansible-runner: Race condition with temporary files in tempfile.TemporaryDirectory()
Summary: CVE-2021-3702 ansible-runner: Race condition with temporary files in tempfile...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-3702
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1977966 1977967 1977968
Blocks: 1977971
TreeView+ depends on / blocked
 
Reported: 2021-06-30 19:51 UTC by Pedro Sampaio
Modified: 2021-12-14 18:47 UTC (History)
74 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A race condition flaw was found in ansible-runner, where an attacker could watch for rapid creation and deletion of a temporary directory, substitute their directory at that name, and then have access to ansible-runner's private_data_dir the next time ansible-runner made use of the private_data_dir. The highest Threat out of this flaw is to integrity and confidentiality.
Clone Of:
Environment:
Last Closed: 2021-11-12 17:27:20 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2021-06-30 19:51:37 UTC 
A race condition was found in ansible-runner where an attacker could watch for a rapid creation and deletion of a temporary directory,
substitute their own directory at that name, and then have access to ansible-runner's private_data_dir the next time ansible-runner made
use of the private_data_dir.

Upstream patch:

https://github.com/ansible/ansible-runner/pull/742/commits/0e9aa8a97e7832ef9a1553ef2908632a32d2b8c4
Comment 1 Pedro Sampaio 2021-06-30 19:52:23 UTC 
Created python-ansible-runner tracking bugs for this issue:

Affects: epel-7 [bug 1977968]
Affects: fedora-all [bug 1977967]
Affects: openstack-rdo [bug 1977966]
Comment 4 Sage McTaggart 2021-07-02 20:50:49 UTC 
Red Hat Ceph Storage 4 does not ship the affected code, and has been marked not affected.
Comment 5 Mark Cooper 2021-07-05 07:40:54 UTC 
In OCP 4.7, version 1.4.6-2 is packaged and is too old to have the vulnerable code - uses the secure version of mkstemp:
https://github.com/ansible/ansible-runner/blob/26a06567df037889f15e4b2eaa29919c6637986f/ansible_runner/utils.py#L151

In OCP 3.11, version 1.2.0-1 is packaged and uses the secure version of make temp:
https://github.com/ansible/ansible-runner/blob/94f58c7c3667102dbafbf3b2349322c594deeccc/ansible_runner/utils.py#L143

Looks like the vulnerable code got refactored around version 2 https://github.com/ansible/ansible-runner/commit/93e95a3df9021a38010386d07df121392d249253
Comment 6 Mark Cooper 2021-07-05 12:32:47 UTC 
Well in hindsight even if the above ^ aren't the refactor'ed, the older versions still don't contain the code to insecurely create a temp dir.
Comment 8 Tapas Jena 2021-08-11 17:34:43 UTC 
Analysis is complete for all the concerned Ansible components and it was found that AAP 1.2 and Ansible Tower are affected by this vulnerability. However, AAP 2.0 is "Not Affected" by this vulnerability as it ships ansible-runner 2.0.1 which already contains the fix for this issue.
Comment 11 Tapas Jena 2021-11-12 17:16:58 UTC 
This vulnerability was part of ansible_runner_2.0 but was fixed before it got published it.  It was fixed by this PR https://github.com/ansible/ansible-runner/pull/742 (the commits in that PR got back-port to release_2.0 before we went GA)
This code wasn't part of 1.4 - so no released version of runner is actually impacted by this.

Finally, no any shipped ansible runner version from Red Hat has been facing the issue. Hence, though this was marked as "affected" initially, marking it back to "not affected" . However, since this is a valid vulnerability, the CVE will remain valid as well.
Comment 12 Product Security DevOps Team 2021-11-12 17:27:15 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3702
Note You need to log in before you can comment on or make changes to this bug.