Описание
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.
A data disclosure flaw was found in Ansible when using the Splunk and Sumologic modules, as they are not respecting when the flag no_log is enabled. This flaw can disclose and collect sensitive data from the system and expose it to an attacker.
Отчет
- The exploitation of this flaw depends on the use of either Sumo Logic or Splunk callback plugins. However, because Red Hat OpenStack Platform (RHOSP) does not use Sumo Logic or Splunk, Red Hat will not be providing a fix for RHOSP Ansible at this time.
- Red Hat Gluster Storage no more maintains its own version of Ansible, pre-requisite is to enable ansible repository. The fix will be consumed from core Ansible.
- Ansible Tower’s Splunk logging integration uses the Splunk HTTP Collector and Ansible Engine.
- The exploitation of this flaw depends on the use of either Sumo Logic or Splunk callback plugins. However, because Red Hat Satellite 6.4 and 6.5 do not use Sumo Logic or Splunk, Red Hat will not be providing a fix for Satellite 6.4 and 6.5 and Ansible at this time. Users may upgrade to Satellite 6.6 or later which includes the resolution to this bug if desired.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| CloudForms Management Engine 5 | ansible | Not affected | ||
| Red Hat Ansible Tower 3 | ansible | Not affected | ||
| Red Hat Ceph Storage 2 | ansible | Out of support scope | ||
| Red Hat Ceph Storage 3 | ansible | Affected | ||
| Red Hat OpenStack Platform 10 (Newton) | ansible | Will not fix | ||
| Red Hat OpenStack Platform 13 (Queens) | ansible | Will not fix | ||
| Red Hat OpenStack Platform 14 (Rocky) | ansible | Will not fix | ||
| Red Hat Satellite 6 | ansible | Out of support scope | ||
| Red Hat Storage 3 | ansible | Will not fix | ||
| Red Hat Ansible Engine 2.7 for RHEL 7 | ansible | Fixed | RHSA-2019:3925 | 20.11.2019 |
Показывать по
Дополнительная информация
Статус:
5.7 Medium
CVSS3
Связанные уязвимости
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible v ...
Inclusion of Sensitive Information in Log Files and Improper Output Neutralization for Logs in Ansible
Уязвимость модулей Splunk и Sumologic системы управления конфигурациями Ansible, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
5.7 Medium
CVSS3