Bug 1755373 (CVE-2019-14846) - CVE-2019-14846 ansible: secrets disclosed on logs when no_log enabled
Summary: CVE-2019-14846 ansible: secrets disclosed on logs when no_log enabled
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14846
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1755795 1755796 1755797 1766399 1766400 1766401 1769188 1755513 1755514 1755515 1755516
Blocks: 1755369
TreeView+ depends on / blocked
 
Reported: 2019-09-25 11:33 UTC by Borja Tarraso
Modified: 2019-11-25 08:55 UTC (History)
37 users (show)

Fixed In Version: ansible-engine 2.8.6, ansible-engine 2.7.14, ansible-engine 2.6.20
Doc Type: If docs needed, set a value
Doc Text:
Ansible was logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.
Clone Of:
Environment:
Last Closed: 2019-10-25 00:51:12 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3864 None None None 2019-11-13 04:59:42 UTC
Red Hat Product Errata RHBA-2019:3947 None None None 2019-11-25 08:55:11 UTC
Red Hat Product Errata RHSA-2019:3201 None None None 2019-10-24 13:01:23 UTC
Red Hat Product Errata RHSA-2019:3202 None None None 2019-10-24 13:01:08 UTC
Red Hat Product Errata RHSA-2019:3203 None None None 2019-10-24 13:06:50 UTC
Red Hat Product Errata RHSA-2019:3207 None None None 2019-10-24 14:27:29 UTC

Description Borja Tarraso 2019-09-25 11:33:47 UTC
Secrets are disclosed on logs due to display is hardcoded to DEBUG level. This causes 'no_log’ parameter is ignored on tasks.

Comment 4 Borja Tarraso 2019-10-08 07:18:26 UTC
Acknowledgments:

Name: Paul Milbank (Pushpay Site Reliability Engineering), Harvey Rendell (Pushpay Site Reliability Engineering), Tom Henderson (Pushpay Site Reliability Engineering)

Comment 5 Salvatore Bonaccorso 2019-10-09 13:10:59 UTC
Hi

Is there any related upstream issue related to this issue or further information? The dependent issues are currently not accessible and we would like to determine which ansible versions in Debian are affected by this CVE.

Regards,
Salvatore

Comment 6 Toshio Kuratomi 2019-10-11 02:41:24 UTC
It almost certainly does.  Here's the upstream fix: https://github.com/ansible/ansible/pull/63366

Comment 7 errata-xmlrpc 2019-10-24 13:01:05 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.7 for RHEL 7

Via RHSA-2019:3202 https://access.redhat.com/errata/RHSA-2019:3202

Comment 8 errata-xmlrpc 2019-10-24 13:01:21 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.6 for RHEL 7

Via RHSA-2019:3201 https://access.redhat.com/errata/RHSA-2019:3201

Comment 9 errata-xmlrpc 2019-10-24 13:06:48 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.8 for RHEL 7
  Red Hat Ansible Engine 2.8 for RHEL 8

Via RHSA-2019:3203 https://access.redhat.com/errata/RHSA-2019:3203

Comment 10 errata-xmlrpc 2019-10-24 14:27:27 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2019:3207 https://access.redhat.com/errata/RHSA-2019:3207

Comment 11 Product Security DevOps Team 2019-10-25 00:51:12 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14846

Comment 14 Hardik Vyas 2019-11-06 05:14:11 UTC
Statement:

Red Hat Gluster Storage no more maintains its own version of Ansible, pre-requisite is to enable ansible repository. The fix will be consumed from core Ansible.


Note You need to log in before you can comment on or make changes to this bug.