Bug 1588855 - (CVE-2018-10855) CVE-2018-10855 ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs
CVE-2018-10855 ansible: Failed tasks do not honour no_log option allowing for...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20180611,repor...
: Security
Depends On: 1589299 1589301 1589304 1590642 1590643 1590644 1590675 1590676 1590677 1589298 1589303 1590199 1590200 1590503 1590504 1590505 1590664
Blocks: 1588859
  Show dependency treegraph
 
Reported: 2018-06-07 20:14 EDT by Sam Fowler
Modified: 2018-08-10 18:31 EDT (History)
89 users (show)

See Also:
Fixed In Version: Ansible 2.4.5, Ansible 2.5.5
Doc Type: If docs needed, set a value
Doc Text:
Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1948 None None None 2018-06-19 15:27 EDT
Red Hat Product Errata RHSA-2018:1949 None None None 2018-06-19 15:27 EDT
Red Hat Product Errata RHSA-2018:2022 None None None 2018-06-26 13:12 EDT
Red Hat Product Errata RHSA-2018:2079 None None None 2018-06-27 06:04 EDT
Red Hat Product Errata RHSA-2018:2184 None None None 2018-07-12 09:14 EDT

  None (edit)
Description Sam Fowler 2018-06-07 20:14:19 EDT
Ansible through version 2.5 does not properly honour the no_log option with failed task iterations. When a list of secret items is supplied to a task and a task iteration fails, secrets can be disclosed in logs despite the no_log option being enabled.
Comment 4 Toshio Kuratomi 2018-06-08 12:03:17 EDT
We have a fix for this issue upstream
Comment 7 Sam Fowler 2018-06-10 23:05:21 EDT
Acknowledgments:

Name: Tobias Henkel (BMW Car IT GmbH)
Comment 8 Toshio Kuratomi 2018-06-11 17:02:35 EDT
After talking to btarasso, we have pushed out a PR to address this: https://github.com/ansible/ansible/pull/41414  Will be merging that and backporting to stbale-2.4 stable-2.5 and stable-2.6 branches.  Releases or release candidates with the fix applied will then be released from those branches.
Comment 9 Borja Tarraso 2018-06-12 04:06:43 EDT
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1590199]
Affects: fedora-all [bug 1590200]
Comment 10 Toshio Kuratomi 2018-06-12 11:04:50 EDT
I talked to bcoca about the upstream changelog entry for this today and he let me know that iteration is not necessary to provoke this bug.  It is provoked by some (but not all) exceptions raised by a connection plugin.  This will be the text of our changelog entry:

"Some connection exceptions would cause no_log specified on a task to be ignored.  If this happened, the task information, including any private information could have been displayed to stdout and (if enabled, not the default) logged to a log file specified in ansible.cfg's log_path.  Additionally, sites which redirected stdout from ansible runs to a log file may have stored that private information onto disk that way as well"
Comment 20 errata-xmlrpc 2018-06-19 15:26:41 EDT
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2018:1948 https://access.redhat.com/errata/RHSA-2018:1948
Comment 21 errata-xmlrpc 2018-06-19 15:27:03 EDT
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.5 for RHEL 7

Via RHSA-2018:1949 https://access.redhat.com/errata/RHSA-2018:1949
Comment 22 errata-xmlrpc 2018-06-19 15:27:35 EDT
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.5 for RHEL 7

Via RHSA-2018:1949 https://access.redhat.com/errata/RHSA-2018:1949
Comment 24 Doran Moppert 2018-06-26 01:00:48 EDT
External References:

https://github.com/ansible/ansible/pull/41414
Comment 25 errata-xmlrpc 2018-06-26 13:12:14 EDT
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.4 for RHEL 7

Via RHSA-2018:2022 https://access.redhat.com/errata/RHSA-2018:2022
Comment 26 errata-xmlrpc 2018-06-27 06:04:01 EDT
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2018:2079 https://access.redhat.com/errata/RHSA-2018:2079
Comment 27 errata-xmlrpc 2018-07-12 09:14:13 EDT
This issue has been addressed in the following products:

  CloudForms Management Engine 5.9

Via RHSA-2018:2184 https://access.redhat.com/errata/RHSA-2018:2184

Note You need to log in before you can comment on or make changes to this bug.