Bug 1764148 (CVE-2019-14864) - CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs
Summary: CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14864
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1764188 1764190 1764191 1769192 1773470 1774003 1774004 1774005 1774007
Blocks: 1764140
TreeView+ depends on / blocked
 
Reported: 2019-10-22 11:19 UTC by Borja Tarraso
Modified: 2021-02-16 21:12 UTC (History)
37 users (show)

Fixed In Version: ansible-engine 2.9.1, ansible-engine 2.8.7, ansible-engine 2.7.15
Doc Type: If docs needed, set a value
Doc Text:
A data disclosure flaw was found in Ansible when using the Splunk and Sumologic modules, as they are not respecting when the flag no_log is enabled. This flaw can disclose and collect sensitive data from the system and expose it to an attacker.
Clone Of:
Environment:
Last Closed: 2019-11-20 18:51:41 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3925 0 None None None 2019-11-20 14:50:06 UTC
Red Hat Product Errata RHSA-2019:3926 0 None None None 2019-11-20 14:55:13 UTC
Red Hat Product Errata RHSA-2019:3927 0 None None None 2019-11-20 14:54:45 UTC
Red Hat Product Errata RHSA-2019:3928 0 None None None 2019-11-20 14:52:01 UTC

Description Borja Tarraso 2019-10-22 11:19:50 UTC 
Ansible is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.
Comment 5 Summer Long 2019-10-22 22:47:46 UTC 
Upstream issue: https://github.com/ansible/ansible/issues/63522
Upstream fix: https://github.com/ansible/ansible/pull/63527
Comment 6 Borja Tarraso 2019-10-23 06:30:15 UTC 
Acknowledgments:

Name: Abhijeet Kasurde (Red Hat), Patrick O’Brien (The Trade Desk Inc)
Comment 13 Borja Tarraso 2019-11-19 12:24:37 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-6 [bug 1774003]
Affects: epel-7 [bug 1774004]
Affects: fedora-all [bug 1774005]
Affects: openstack-rdo [bug 1774007]
Comment 14 errata-xmlrpc 2019-11-20 14:50:04 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.7 for RHEL 7

Via RHSA-2019:3925 https://access.redhat.com/errata/RHSA-2019:3925
Comment 15 errata-xmlrpc 2019-11-20 14:51:59 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2019:3928 https://access.redhat.com/errata/RHSA-2019:3928
Comment 16 errata-xmlrpc 2019-11-20 14:54:43 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 7
  Red Hat Ansible Engine 2.9 for RHEL 8

Via RHSA-2019:3927 https://access.redhat.com/errata/RHSA-2019:3927
Comment 17 errata-xmlrpc 2019-11-20 14:55:11 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.8 for RHEL 7
  Red Hat Ansible Engine 2.8 for RHEL 8

Via RHSA-2019:3926 https://access.redhat.com/errata/RHSA-2019:3926
Comment 18 Product Security DevOps Team 2019-11-20 18:51:41 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14864
Comment 19 Cedric Buissart 2020-01-16 09:43:25 UTC 
Statement:

* The exploitation of this flaw depends on the use of either Sumo Logic or Splunk callback plugins. However, because Red Hat OpenStack Platform (RHOSP) does not use Sumo Logic or Splunk, Red Hat will not be providing a fix for RHOSP Ansible at this time.
* Red Hat Gluster Storage no more maintains its own version of Ansible, pre-requisite is to enable ansible repository. The fix will be consumed from core Ansible.
* Ansible Tower’s Splunk logging integration uses the Splunk HTTP Collector and Ansible Engine.
* The exploitation of this flaw depends on the use of either Sumo Logic or Splunk callback plugins. However, because Red Hat Satellite 6.4 and 6.5 do not use Sumo Logic or Splunk, Red Hat will not be providing a fix for Satellite 6.4 and 6.5 and Ansible at this time. Users may upgrade to Satellite 6.6 or later which includes the resolution to this bug if desired.
Comment 24 Yadnyawalk Tale 2020-04-22 10:24:31 UTC 
Red Hat CloudForms 5.10 (4.7) and 5.11 (5.0) do not ship `ansible` package, it is provided by the official Ansible repository.
Note You need to log in before you can comment on or make changes to this bug.