Bug 1916813 (CVE-2021-20191) - CVE-2021-20191 ansible: multiple modules expose secured values
Summary: CVE-2021-20191 ansible: multiple modules expose secured values
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-20191
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1916818 1916819 1916820 1916862 1916863 1916864 1917473 1917474 1917475 1962577
Blocks: 1916830
TreeView+ depends on / blocked
 
Reported: 2021-01-15 15:48 UTC by Borja Tarraso
Modified: 2024-02-14 15:20 UTC (History)
36 users (show)

Fixed In Version: ansible 2.9.18
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed: 2021-02-24 19:02:34 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0663 0 None None None 2021-02-24 17:46:15 UTC
Red Hat Product Errata RHSA-2021:0664 0 None None None 2021-02-24 17:47:05 UTC

Description Borja Tarraso 2021-01-15 15:48:40 UTC 
A few different modules leak sensitive data such as secret values. This could lead in disclosing those credentials for every user which has access to the output of playbook execution.
Comment 1 Borja Tarraso 2021-01-15 15:48:44 UTC 
Acknowledgments:

Name: Rick Elrod (Red Hat)
Comment 6 Trishna Guha 2021-01-18 10:52:38 UTC 
This issue is addressed in https://github.com/ansible-collections/cisco.nxos/pull/227.
Comment 7 Tapas Jena 2021-01-18 14:46:58 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1917474]
Affects: fedora-all [bug 1917473]
Affects: openstack-rdo [bug 1917475]
Comment 12 Sandra McCann 2021-02-24 16:45:45 UTC 
This CVE has been addressed in:

  * Ansible 2.8.19 and newer
  * Ansible 2.9.18 and newer
  * Ansible 2.10.7 and newer

As well as in the following Ansible Collections:

  * cisco.nxos 1.4.0 and newer
  * community.docker 1.2.2 and newer
  * community.general 1.3.6 and newer and 2.0.1 and newer
  * community.network 1.3.2 and newer and 2.0.1 and newer
  * google.cloud 1.0.2
Comment 13 errata-xmlrpc 2021-02-24 17:46:11 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 8
  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2021:0663 https://access.redhat.com/errata/RHSA-2021:0663
Comment 14 errata-xmlrpc 2021-02-24 17:47:03 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 8
  Red Hat Ansible Engine 2.9 for RHEL 7

Via RHSA-2021:0664 https://access.redhat.com/errata/RHSA-2021:0664
Comment 15 Product Security DevOps Team 2021-02-24 19:02:34 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20191
Comment 16 Hardik Vyas 2021-03-29 14:24:54 UTC 
Statement:

The version of ansible shipped with Red Hat Gluster Storage (RHGS) 3 includes the vulnerable `network/nxos/nxos_*` modules. However, RHGS 3 no longer maintains its own version of Ansible, prerequisite is to enable ansible repository in order to consume the latest version of ansible which has many bug and security fixes.
Comment 17 errata-xmlrpc 2021-04-06 13:20:47 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 1.2 for RHEL 7

Via RHSA-2021:1079 https://access.redhat.com/errata/RHSA-2021:1079
Comment 20 errata-xmlrpc 2021-06-01 13:23:38 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
  Red Hat Virtualization Engine 4.4
  Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8

Via RHSA-2021:2180 https://access.redhat.com/errata/RHSA-2021:2180
Note You need to log in before you can comment on or make changes to this bug.