A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality.
Created ansible tracking bugs for this issue: Affects: epel-all [bug 1939440] Affects: fedora-all [bug 1939441] Affects: openstack-rdo [bug 1939444]
Acknowledgments: Name: John Barker (Red Hat), Felix Fontein, Chen Zhi (Zhejiang University)
Hi As I would like to try to track this in right way as well in another downstream, do you know if this has an upstream issue reported? Regards,
Hi, I checked about the above asked and found no trace of any upstream issue report.However, I am not completely sure as of now. Kind Regards, Tapas J
Statement: Red Hat Gluster Storage 3 no longer maintains its own version of ansible, prerequisite is to enable ansible repository in order to consume the latest version of ansible which has many bug and security fixes.
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 1.2 for RHEL 7 Via RHSA-2021:1079 https://access.redhat.com/errata/RHSA-2021:1079
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3447
This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 8 Red Hat Ansible Engine 2 for RHEL 7 Via RHSA-2021:1342 https://access.redhat.com/errata/RHSA-2021:1342
This issue has been addressed in the following products: Red Hat Ansible Engine 2.9 for RHEL 8 Red Hat Ansible Engine 2.9 for RHEL 7 Via RHSA-2021:1343 https://access.redhat.com/errata/RHSA-2021:1343
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2021:2736 https://access.redhat.com/errata/RHSA-2021:2736
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Red Hat Virtualization Engine 4.4 Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8 Via RHSA-2021:2866 https://access.redhat.com/errata/RHSA-2021:2866