Bug 1814627 (CVE-2020-10685) - CVE-2020-10685 Ansible: modules which use files encrypted with vault are not properly cleaned up
Summary: CVE-2020-10685 Ansible: modules which use files encrypted with vault are not ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10685
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1814628 1814629 1814630 1814631 1814632 1814633 1814634 1814635 1815126 1816312 1816313 1816315 1816914
Blocks: 1800569
TreeView+ depends on / blocked
 
Reported: 2020-03-18 12:07 UTC by Borja Tarraso
Modified: 2022-10-02 21:51 UTC (History)
39 users (show)

Fixed In Version: ansible-engine 2.7.17, ansible-engine 2.8.11, ansible-engine 2.9.7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found on Ansible Engine when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. The temporary directory is created in /tmp leaves the secrets unencrypted. On Operating Systems which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot and the decrypted data remains when the host is switched off. The system will be vulnerable when the system is not running. So decrypted data must be cleared as soon as possible and the data which normally is encrypted is sensible.
Clone Of:
Environment:
Last Closed: 2020-04-22 16:32:20 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:2150 0 None None None 2020-05-14 11:25:15 UTC
Red Hat Product Errata RHBA-2020:2251 0 None None None 2020-05-21 19:05:09 UTC
Red Hat Product Errata RHSA-2020:1541 0 None None None 2020-04-22 14:09:27 UTC
Red Hat Product Errata RHSA-2020:1542 0 None None None 2020-04-22 14:09:45 UTC
Red Hat Product Errata RHSA-2020:1543 0 None None None 2020-04-22 14:10:04 UTC
Red Hat Product Errata RHSA-2020:1544 0 None None None 2020-04-22 14:10:22 UTC

Description Borja Tarraso 2020-03-18 12:07:53 UTC 
When a module uses a file that was encrypted with vault, it doesn not remove the decrypted file in /tmp after its usage.
Comment 1 Borja Tarraso 2020-03-18 12:08:15 UTC 
Acknowledgments:

Name: Damien Aumaitre (Quarkslab), Nicolas Surbayrole (Quarkslab)
Comment 3 Borja Tarraso 2020-03-18 12:08:32 UTC 
Mitigation:

Currently, there is no mitigation for this issue except by removing manually the temporary created file after every run.
Comment 6 Hardik Vyas 2020-03-19 14:41:04 UTC 
Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains its own version of Ansible. The fix will be provided from core Ansible. But we still ship ansible separately for ceph ubuntu.
Comment 8 Borja Tarraso 2020-03-23 19:08:42 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1816312]
Affects: fedora-all [bug 1816313]
Affects: openstack-rdo [bug 1816315]
Comment 9 Yadnyawalk Tale 2020-03-24 14:10:50 UTC 
Removing CloudForms from affects list. CloudForms 5.10 & 5.11 both subscribe to Ansible repos, so we do not need to include cfme5/ansible in affects nor file trackers. ansible_engine affects entries are sufficient to inform Cloudforms customers.
Comment 10 Borja Tarraso 2020-03-24 17:41:01 UTC 
Upstream fix: https://github.com/ansible/ansible/pull/68433
Comment 13 errata-xmlrpc 2020-04-22 14:09:25 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 7
  Red Hat Ansible Engine 2.9 for RHEL 8

Via RHSA-2020:1541 https://access.redhat.com/errata/RHSA-2020:1541
Comment 14 errata-xmlrpc 2020-04-22 14:09:43 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2020:1542 https://access.redhat.com/errata/RHSA-2020:1542
Comment 15 errata-xmlrpc 2020-04-22 14:10:01 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.8 for RHEL 7
  Red Hat Ansible Engine 2.8 for RHEL 8

Via RHSA-2020:1543 https://access.redhat.com/errata/RHSA-2020:1543
Comment 16 errata-xmlrpc 2020-04-22 14:10:20 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.7 for RHEL 7

Via RHSA-2020:1544 https://access.redhat.com/errata/RHSA-2020:1544
Comment 17 Product Security DevOps Team 2020-04-22 16:32:20 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10685
Comment 18 Summer Long 2021-01-18 01:23:53 UTC 
Statement:

* Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.

* Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.

* In Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.
Note You need to log in before you can comment on or make changes to this bug.