Bug 1939349 (CVE-2021-3447) - CVE-2021-3447 ansible: multiple modules expose secured values
Summary: CVE-2021-3447 ansible: multiple modules expose secured values
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3447
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1939440 1939441 1939444 1939445 1939446 1939447 1939448 1939449 1967881 1969368
Blocks: 1938335 1939694
TreeView+ depends on / blocked
 
Reported: 2021-03-16 07:57 UTC by Tapas Jena
Modified: 2021-11-21 20:43 UTC (History)
50 users (show)

Fixed In Version: Red Hat Ansible Automation Platform 1.2.2, Ansible Tower 3.8.2
Doc Type: ---
Doc Text:
A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed: 2021-04-09 17:35:11 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2736 0 None None None 2021-07-22 15:06:56 UTC
Red Hat Product Errata RHSA-2021:2866 0 None None None 2021-07-22 15:26:03 UTC

Description Tapas Jena 2021-03-16 07:57:05 UTC 
A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality.
Comment 3 Tapas Jena 2021-03-16 12:15:32 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1939440]
Affects: fedora-all [bug 1939441]
Affects: openstack-rdo [bug 1939444]
Comment 5 Borja Tarraso 2021-03-17 06:36:04 UTC 
Acknowledgments:

Name: John Barker (Red Hat), Felix Fontein, Chen Zhi (Zhejiang University)
Comment 6 Salvatore Bonaccorso 2021-03-20 07:53:45 UTC 
Hi

As I would like to try to track this in right way as well in another downstream, do you know if this has an upstream issue reported?

Regards,
Comment 7 Tapas Jena 2021-03-24 15:41:58 UTC 
Hi,

I checked about the above asked and found no trace of any upstream issue report.However, I am not completely sure as of now.

Kind Regards,
Tapas J
Comment 9 Sage McTaggart 2021-03-29 15:20:50 UTC 
Statement:

Red Hat Gluster Storage 3 no longer maintains its own version of ansible, prerequisite is to enable ansible repository in order to consume the latest version of ansible which has many bug and security fixes.
Comment 10 errata-xmlrpc 2021-04-06 13:20:55 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 1.2 for RHEL 7

Via RHSA-2021:1079 https://access.redhat.com/errata/RHSA-2021:1079
Comment 11 Product Security DevOps Team 2021-04-09 17:35:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3447
Comment 12 errata-xmlrpc 2021-04-22 21:05:48 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 8
  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2021:1342 https://access.redhat.com/errata/RHSA-2021:1342
Comment 13 errata-xmlrpc 2021-04-22 21:06:31 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 8
  Red Hat Ansible Engine 2.9 for RHEL 7

Via RHSA-2021:1343 https://access.redhat.com/errata/RHSA-2021:1343
Comment 16 errata-xmlrpc 2021-07-22 15:06:49 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:2736 https://access.redhat.com/errata/RHSA-2021:2736
Comment 17 errata-xmlrpc 2021-07-22 15:26:02 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
  Red Hat Virtualization Engine 4.4
  Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8

Via RHSA-2021:2866 https://access.redhat.com/errata/RHSA-2021:2866
Note You need to log in before you can comment on or make changes to this bug.