Bug 1588855 (CVE-2018-10855) - CVE-2018-10855 ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs
Summary: CVE-2018-10855 ansible: Failed tasks do not honour no_log option allowing for...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-10855
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180611,repor...
Depends On: 1589301 1590675 1590677 1589298 1589299 1589303 1589304 1590199 1590200 1590503 1590504 1590505 1590642 1590643 1590644 1590664 1590676
Blocks: 1588859
TreeView+ depends on / blocked
 
Reported: 2018-06-08 00:14 UTC by Sam Fowler
Modified: 2019-06-11 11:13 UTC (History)
84 users (show)

Fixed In Version: Ansible 2.4.5, Ansible 2.5.5
Doc Type: If docs needed, set a value
Doc Text:
Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:28:27 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1948 None None None 2018-06-19 19:27:14 UTC
Red Hat Product Errata RHSA-2018:1949 None None None 2018-06-19 19:27:57 UTC
Red Hat Product Errata RHSA-2018:2022 None None None 2018-06-26 17:12:40 UTC
Red Hat Product Errata RHSA-2018:2079 None None None 2018-06-27 10:04:25 UTC
Red Hat Product Errata RHSA-2018:2184 None None None 2018-07-12 13:14:43 UTC
Red Hat Product Errata RHSA-2018:2585 None None None 2018-08-29 16:05:26 UTC
Red Hat Product Errata RHSA-2019:0054 None None None 2019-01-16 17:10:05 UTC

Description Sam Fowler 2018-06-08 00:14:19 UTC
Ansible through version 2.5 does not properly honour the no_log option with failed task iterations. When a list of secret items is supplied to a task and a task iteration fails, secrets can be disclosed in logs despite the no_log option being enabled.

Comment 4 Toshio Kuratomi 2018-06-08 16:03:17 UTC
We have a fix for this issue upstream

Comment 7 Sam Fowler 2018-06-11 03:05:21 UTC
Acknowledgments:

Name: Tobias Henkel (BMW Car IT GmbH)

Comment 8 Toshio Kuratomi 2018-06-11 21:02:35 UTC
After talking to btarasso, we have pushed out a PR to address this: https://github.com/ansible/ansible/pull/41414  Will be merging that and backporting to stbale-2.4 stable-2.5 and stable-2.6 branches.  Releases or release candidates with the fix applied will then be released from those branches.

Comment 9 Borja Tarraso 2018-06-12 08:06:43 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1590199]
Affects: fedora-all [bug 1590200]

Comment 10 Toshio Kuratomi 2018-06-12 15:04:50 UTC
I talked to bcoca about the upstream changelog entry for this today and he let me know that iteration is not necessary to provoke this bug.  It is provoked by some (but not all) exceptions raised by a connection plugin.  This will be the text of our changelog entry:

"Some connection exceptions would cause no_log specified on a task to be ignored.  If this happened, the task information, including any private information could have been displayed to stdout and (if enabled, not the default) logged to a log file specified in ansible.cfg's log_path.  Additionally, sites which redirected stdout from ansible runs to a log file may have stored that private information onto disk that way as well"

Comment 20 errata-xmlrpc 2018-06-19 19:26:41 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2018:1948 https://access.redhat.com/errata/RHSA-2018:1948

Comment 21 errata-xmlrpc 2018-06-19 19:27:03 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.5 for RHEL 7

Via RHSA-2018:1949 https://access.redhat.com/errata/RHSA-2018:1949

Comment 22 errata-xmlrpc 2018-06-19 19:27:35 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.5 for RHEL 7

Via RHSA-2018:1949 https://access.redhat.com/errata/RHSA-2018:1949

Comment 24 Doran Moppert 2018-06-26 05:00:48 UTC
External References:

https://github.com/ansible/ansible/pull/41414

Comment 25 errata-xmlrpc 2018-06-26 17:12:14 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.4 for RHEL 7

Via RHSA-2018:2022 https://access.redhat.com/errata/RHSA-2018:2022

Comment 26 errata-xmlrpc 2018-06-27 10:04:01 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2018:2079 https://access.redhat.com/errata/RHSA-2018:2079

Comment 27 errata-xmlrpc 2018-07-12 13:14:13 UTC
This issue has been addressed in the following products:

  CloudForms Management Engine 5.9

Via RHSA-2018:2184 https://access.redhat.com/errata/RHSA-2018:2184

Comment 33 errata-xmlrpc 2018-08-29 16:05:01 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2018:2585 https://access.redhat.com/errata/RHSA-2018:2585

Comment 34 errata-xmlrpc 2019-01-16 17:10:01 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:0054 https://access.redhat.com/errata/RHSA-2019:0054


Note You need to log in before you can comment on or make changes to this bug.