Описание
A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose passwords and tokens from process list and no_log directive from debug module would not have any effect making these secrets being disclosed on stdout and log files.
A security flaw was found in the Ansible Engine when managing Kubernetes using the k8s connection plugin. Sensitive parameters such as passwords and tokens are passed to the kubectl command line instead of using environment variables or an input configuration file, which is safer. This flaw discloses passwords and tokens from the process list, and the no_log directive from the debug module would not be reflected in the underlying command-line tools options, displaying passwords and tokens on stdout and log files.
Отчет
Ansible Engine 2.7.17, 2.8.10, and 2.9.6 as well as previous versions are affected. Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected. In Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.
Меры по смягчению последствий
Currently, there is no mitigation for this issue.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 2 | ansible | Not affected | ||
| Red Hat Ceph Storage 3 | ansible | Not affected | ||
| Red Hat OpenStack Platform 10 (Newton) | ansible | Out of support scope | ||
| Red Hat OpenStack Platform 13 (Queens) | ansible | Will not fix | ||
| Red Hat Storage 3 | ansible | Not affected | ||
| Red Hat Ansible Engine 2.7 for RHEL 7 | ansible | Fixed | RHSA-2020:2142 | 13.05.2020 |
| Red Hat Ansible Engine 2.8 for RHEL 7 | ansible | Fixed | RHBA-2020:4195 | 06.10.2020 |
| Red Hat Ansible Engine 2.8 for RHEL 8 | ansible | Fixed | RHBA-2020:4195 | 06.10.2020 |
| Red Hat Ansible Engine 2.9 for RHEL 7 | ansible | Fixed | RHSA-2020:1541 | 22.04.2020 |
| Red Hat Ansible Engine 2.9 for RHEL 8 | ansible | Fixed | RHSA-2020:1541 | 22.04.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
5 Medium
CVSS3
Связанные уязвимости
A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose passwords and tokens from process list and no_log directive from debug module would not have any effect making these secrets being disclosed on stdout and log files.
A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose passwords and tokens from process list and no_log directive from debug module would not have any effect making these secrets being disclosed on stdout and log files.
A security flaw was found in Ansible Engine, all Ansible 2.7.x version ...
Insertion of Sensitive Information into Log File, Invocation of Process Using Visible Sensitive Information, and Exposure of Sensitive Information to an Unauthorized Actor in Ansible
Уязвимость модуля k8s системы управления конфигурациями Ansible, связанная с раскрытием информации, позволяющая нарушителю получить доступ к конфиденциальным данным
EPSS
5 Medium
CVSS3