Bug 1773622 (CVE-2019-14890) - CVE-2019-14890 Tower: RHSM username and password exposed after license application
Summary: CVE-2019-14890 Tower: RHSM username and password exposed after license applic...
Alias: CVE-2019-14890
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1775627 1775628 1775629
Blocks: 1773623
TreeView+ depends on / blocked
Reported: 2019-11-18 15:04 UTC by Borja Tarraso
Modified: 2021-02-16 21:03 UTC (History)
14 users (show)

Fixed In Version: ansible_tower 3.6.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Ansible Tower where the RHSM credentials are saved in plain text in the database that is available at '/api/v2/config' after applying the Ansible Tower license. Attackers with this information could log into RHSM and modify licenses and make other changes.
Clone Of:
Last Closed: 2019-11-25 14:59:33 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3958 0 None None None 2019-11-25 14:21:51 UTC

Description Borja Tarraso 2019-11-18 15:04:21 UTC
After submitting a new license using the new RHSM on Ansible Tower 3.6.0, licensed data such as username and password are exposed at '/api/v2/config/'. These credentials are saved into the database as plaintext.

Comment 1 Borja Tarraso 2019-11-18 15:04:24 UTC

Name: Victor da Costa (Red Hat)

Comment 4 Borja Tarraso 2019-11-25 13:01:57 UTC

There is no mitigation for this issue since this issue happens when Red Hat license is applied.

Comment 7 errata-xmlrpc 2019-11-25 14:21:50 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Tower 3.6 for RHEL 7

Via RHSA-2019:3958 https://access.redhat.com/errata/RHSA-2019:3958

Comment 8 Eric Christensen 2019-11-26 21:16:55 UTC

Ansible Tower 3.6.0 is affected, but Ansible Tower 3.5, 3.4, and 3.3 are not vulnerable as they do not include the new RHSM.

CloudForms 5.9 and 5.10 are not vulnerable as they do not use Ansible Tower 3.6.0.

Note You need to log in before you can comment on or make changes to this bug.