Bug 1760593 (CVE-2019-14858) - CVE-2019-14858 ansible: sub parameters marked as no_log are not masked in certain failure scenarios
Summary: CVE-2019-14858 ansible: sub parameters marked as no_log are not masked in cer...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14858
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1760598 1760599 1760600 1766391 1766392 1766393 1766409 1769190 1760594 1760595 1760596 1760597
Blocks: 1760566
TreeView+ depends on / blocked
 
Reported: 2019-10-10 21:45 UTC by Borja Tarraso
Modified: 2019-11-25 08:55 UTC (History)
38 users (show)

Fixed In Version: ansible-engine 2.6.20, ansible-engine 2.7.14, ansible-engine 2.8.6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-25 00:51:20 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3864 None None None 2019-11-13 04:59:43 UTC
Red Hat Product Errata RHBA-2019:3947 None None None 2019-11-25 08:55:10 UTC
Red Hat Product Errata RHSA-2019:3201 None None None 2019-10-24 13:01:28 UTC
Red Hat Product Errata RHSA-2019:3202 None None None 2019-10-24 13:01:12 UTC
Red Hat Product Errata RHSA-2019:3203 None None None 2019-10-24 13:06:51 UTC
Red Hat Product Errata RHSA-2019:3207 None None None 2019-10-24 14:27:30 UTC

Description Borja Tarraso 2019-10-10 21:45:05 UTC
When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.

Comment 1 Borja Tarraso 2019-10-10 21:45:07 UTC
Acknowledgments:

Name: Sam Doran (Red Hat)

Comment 5 Salvatore Bonaccorso 2019-10-12 07:11:21 UTC
Do you have an upstream reference on this issue?

Comment 6 Toshio Kuratomi 2019-10-14 15:53:29 UTC
Upstream fix is: https://github.com/ansible/ansible/pull/63405

Note that the code has changed quite a bit here so some of the backprots will be very different looking.

Comment 8 errata-xmlrpc 2019-10-24 13:01:10 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.7 for RHEL 7

Via RHSA-2019:3202 https://access.redhat.com/errata/RHSA-2019:3202

Comment 9 errata-xmlrpc 2019-10-24 13:01:26 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.6 for RHEL 7

Via RHSA-2019:3201 https://access.redhat.com/errata/RHSA-2019:3201

Comment 10 errata-xmlrpc 2019-10-24 13:06:49 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.8 for RHEL 7
  Red Hat Ansible Engine 2.8 for RHEL 8

Via RHSA-2019:3203 https://access.redhat.com/errata/RHSA-2019:3203

Comment 11 errata-xmlrpc 2019-10-24 14:27:28 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2019:3207 https://access.redhat.com/errata/RHSA-2019:3207

Comment 12 Product Security DevOps Team 2019-10-25 00:51:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14858

Comment 16 Summer Long 2019-10-29 00:32:06 UTC
Created ansible tracking bugs for this issue:

Affects: openstack-rdo [bug 1766409]

Comment 18 Hardik Vyas 2019-11-06 05:31:43 UTC
Statement:

* Fixes for Red Hat OpenStack Platform (RHOSP) have been set to 'Moderate' because flaw exploitation requires running Ansible with increased verbosity which is not the RHOSP deployment default.
* Red Hat Gluster Storage no more maintains its own version of Ansible, pre-requisite is to enable ansible repository. The fix will be consumed from core Ansible.


Note You need to log in before you can comment on or make changes to this bug.