Bug 1038785 - (CVE-2017-7481) VUL-0: CVE-2017-7481: ansible: Security issue with lookup return not tainting the jinja2 environment
(CVE-2017-7481)
VUL-0: CVE-2017-7481: ansible: Security issue with lookup return not tainting...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/185056/
CVSSv3.1:SUSE:CVE-2017-7481:5.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-12 06:38 UTC by Johannes Segitz
Modified: 2022-04-12 14:47 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2017-05-12 06:38:04 UTC
rh#1450018

Discovered by Jason McKerr (Red Hat)

Data for lookup plugins used as variables was not being correctly marked as "unsafe", then some secrets could be printed out.

Fixed by ed56f51f185a1ffd7ea57130d260098686fcc7c2

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1450018
http://web.nvd.nist.gov/view/vuln/detail?vulnId=MITRE:CVE-2017-7481
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7481
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7481
Comment 2 Jan Matejek 2017-05-16 16:45:39 UTC
fix submitted for Teradata SLE11, SR 132757

Lars apparently already fixed Factory

Leap/Backports should probably take the Factory version?
Comment 5 Marcus Meissner 2017-10-26 06:13:20 UTC
released
Comment 6 Bernhard Wiedemann 2017-10-29 17:01:59 UTC
This is an autogenerated message for OBS integration:
This bug (1038785) was mentioned in
https://build.opensuse.org/request/show/537425 42.2+42.3+Backports:SLE-12 / ansible
Comment 7 Bernhard Wiedemann 2017-10-30 17:02:10 UTC
This is an autogenerated message for OBS integration:
This bug (1038785) was mentioned in
https://build.opensuse.org/request/show/537596 42.2+42.3+Backports:SLE-12 / ansible
Comment 8 Swamp Workflow Management 2017-11-10 17:11:13 UTC
openSUSE-SU-2017:2976-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1008037,1008038,1019021,1038785,1065872
CVE References: CVE-2016-8614,CVE-2016-8628,CVE-2016-9587,CVE-2017-7481,CVE-2017-7550
Sources used:
openSUSE Leap 42.3 (src):    ansible-2.4.1.0-6.1
openSUSE Leap 42.2 (src):    ansible-2.4.1.0-2.4.1
Comment 9 Swamp Workflow Management 2017-11-10 17:12:16 UTC
openSUSE-SU-2017:2978-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1008037,1008038,1019021,1038785,1065872
CVE References: CVE-2016-8614,CVE-2016-8628,CVE-2016-9587,CVE-2017-7481,CVE-2017-7550
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    ansible-2.4.1.0-6.1
Comment 10 Swamp Workflow Management 2017-11-17 17:07:49 UTC
SUSE-SU-2017:3029-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1019021,1038785,1056094
CVE References: CVE-2016-9587,CVE-2017-7466,CVE-2017-7481
Sources used:
SUSE OpenStack Cloud 7 (src):    ansible-2.2.3.0-5.1, monasca-installer-20170912_10.45-5.1
Comment 15 Swamp Workflow Management 2020-11-12 17:19:50 UTC
SUSE-SU-2020:3309-1: An update that solves 53 vulnerabilities, contains 14 features and has 5 fixes is now available.

Category: security (important)
Bug References: 1008037,1008038,1010940,1019021,1038785,1056094,1059235,1080682,1097775,1102126,1109957,1112959,1117080,1118896,1123561,1126503,1137479,1137528,1142121,1142542,1144453,1153452,1154231,1154232,1154830,1157968,1157969,1159447,1161919,1164133,1164134,1164135,1164136,1164137,1164138,1164139,1164140,1165022,1165393,1166389,1167440,1167532,1171162,1171823,1172450,1173413,1173416,1173418,1174006,1174145,1174242,1174302,1174583,1175484,1175986,1175993,1177120,1177948
CVE References: CVE-2016-8614,CVE-2016-8628,CVE-2016-8647,CVE-2016-9587,CVE-2017-7466,CVE-2017-7550,CVE-2018-10875,CVE-2018-11779,CVE-2018-16837,CVE-2018-16859,CVE-2018-16876,CVE-2018-18623,CVE-2018-18624,CVE-2018-18625,CVE-2019-0202,CVE-2019-10156,CVE-2019-10206,CVE-2019-10217,CVE-2019-14846,CVE-2019-14856,CVE-2019-14858,CVE-2019-14864,CVE-2019-14904,CVE-2019-14905,CVE-2019-19844,CVE-2019-3828,CVE-2020-10177,CVE-2020-10378,CVE-2020-10684,CVE-2020-10685,CVE-2020-10691,CVE-2020-10729,CVE-2020-10744,CVE-2020-10994,CVE-2020-11110,CVE-2020-14330,CVE-2020-14332,CVE-2020-14365,CVE-2020-1733,CVE-2020-1734,CVE-2020-1735,CVE-2020-1736,CVE-2020-1737,CVE-2020-17376,CVE-2020-1738,CVE-2020-1739,CVE-2020-1740,CVE-2020-1746,CVE-2020-1753,CVE-2020-25032,CVE-2020-26137,CVE-2020-7471,CVE-2020-9402
JIRA References: SOC-10300,SOC-10522,SOC-10616,SOC-11000,SOC-11223,SOC-11342,SOC-11352,SOC-11364,SOC-11386,SOC-11389,SOC-11391,SOC-6780,SOC-9974,SOC-9998
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ansible-2.9.14-3.15.1, crowbar-core-5.0+git.1600432272.b3ad722f0-3.44.1, crowbar-openstack-5.0+git.1599037158.5c4d07480-4.43.1, documentation-suse-openstack-cloud-deployment-8.20201007-1.29.1, documentation-suse-openstack-cloud-supplement-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-admin-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-user-8.20201007-1.29.1, grafana-6.7.4-4.12.1, grafana-natel-discrete-panel-0.0.9-3.3.6, openstack-cinder-11.2.3~dev29-3.28.2, openstack-cinder-doc-11.2.3~dev29-3.28.1, openstack-monasca-installer-20190923_16.32-3.15.1, openstack-neutron-11.0.9~dev69-3.37.2, openstack-neutron-doc-11.0.9~dev69-3.37.1, openstack-nova-16.1.9~dev76-3.39.2, openstack-nova-doc-16.1.9~dev76-3.39.1, python-Django-1.11.29-3.19.2, python-Pillow-4.2.1-3.9.2, python-keystoneclient-3.13.1-3.3.2, python-keystonemiddleware-4.17.1-5.3.1, python-kombu-4.1.0-3.7.1, python-straight-plugin-1.5.0-1.3.1, python-urllib3-1.22-5.12.1, release-notes-suse-openstack-cloud-8.20200922-3.23.1, rubygem-crowbar-client-3.9.3-1.1, storm-1.2.3-3.6.1
SUSE OpenStack Cloud 8 (src):    ansible-2.9.14-3.15.1, ardana-ansible-8.0+git.1596735237.54109b1-3.77.1, ardana-cinder-8.0+git.1596129856.263f430-3.43.1, ardana-glance-8.0+git.1593631779.76fa9b7-3.24.1, ardana-mq-8.0+git.1593618123.678c32b-3.26.1, ardana-nova-8.0+git.1601298847.dd01585-3.42.1, ardana-osconfig-8.0+git.1595885113.93abcbc-3.49.1, documentation-suse-openstack-cloud-installation-8.20201007-1.29.1, documentation-suse-openstack-cloud-operations-8.20201007-1.29.1, documentation-suse-openstack-cloud-opsconsole-8.20201007-1.29.1, documentation-suse-openstack-cloud-planning-8.20201007-1.29.1, documentation-suse-openstack-cloud-security-8.20201007-1.29.1, documentation-suse-openstack-cloud-supplement-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-admin-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-user-8.20201007-1.29.1, documentation-suse-openstack-cloud-user-8.20201007-1.29.1, grafana-6.7.4-4.12.1, grafana-natel-discrete-panel-0.0.9-3.3.6, openstack-cinder-11.2.3~dev29-3.28.2, openstack-cinder-doc-11.2.3~dev29-3.28.1, openstack-monasca-installer-20190923_16.32-3.15.1, openstack-neutron-11.0.9~dev69-3.37.2, openstack-neutron-doc-11.0.9~dev69-3.37.1, openstack-nova-16.1.9~dev76-3.39.2, openstack-nova-doc-16.1.9~dev76-3.39.1, python-Django-1.11.29-3.19.2, python-Flask-Cors-3.0.3-3.3.1, python-Pillow-4.2.1-3.9.2, python-ardana-packager-0.0.3-7.7.2, python-keystoneclient-3.13.1-3.3.2, python-keystonemiddleware-4.17.1-5.3.1, python-kombu-4.1.0-3.7.1, python-straight-plugin-1.5.0-1.3.1, python-urllib3-1.22-5.12.1, release-notes-suse-openstack-cloud-8.20200922-3.23.1, storm-1.2.3-3.6.1, venv-openstack-aodh-5.1.1~dev7-12.28.1, venv-openstack-barbican-5.0.2~dev3-12.29.1, venv-openstack-ceilometer-9.0.8~dev7-12.26.1, venv-openstack-cinder-11.2.3~dev29-14.30.1, venv-openstack-designate-5.0.3~dev7-12.27.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.24.1, venv-openstack-glance-15.0.3~dev3-12.27.1, venv-openstack-heat-9.0.8~dev22-12.29.1, venv-openstack-horizon-12.0.5~dev3-14.32.1, venv-openstack-ironic-9.1.8~dev8-12.29.1, venv-openstack-keystone-12.0.4~dev11-11.30.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.28.1, venv-openstack-manila-5.1.1~dev5-12.33.1, venv-openstack-monasca-2.2.2~dev1-11.24.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.24.1, venv-openstack-murano-4.0.2~dev2-12.24.1, venv-openstack-neutron-11.0.9~dev69-13.32.1, venv-openstack-nova-16.1.9~dev76-11.30.1, venv-openstack-octavia-1.0.6~dev3-12.29.1, venv-openstack-sahara-7.0.5~dev4-11.28.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.21.1, venv-openstack-trove-8.0.2~dev2-11.28.1
HPE Helion Openstack 8 (src):    ansible-2.9.14-3.15.1, ardana-ansible-8.0+git.1596735237.54109b1-3.77.1, ardana-cinder-8.0+git.1596129856.263f430-3.43.1, ardana-glance-8.0+git.1593631779.76fa9b7-3.24.1, ardana-mq-8.0+git.1593618123.678c32b-3.26.1, ardana-nova-8.0+git.1601298847.dd01585-3.42.1, ardana-osconfig-8.0+git.1595885113.93abcbc-3.49.1, documentation-hpe-helion-openstack-installation-8.20201007-1.29.1, documentation-hpe-helion-openstack-operations-8.20201007-1.29.1, documentation-hpe-helion-openstack-opsconsole-8.20201007-1.29.1, documentation-hpe-helion-openstack-planning-8.20201007-1.29.1, documentation-hpe-helion-openstack-security-8.20201007-1.29.1, documentation-hpe-helion-openstack-user-8.20201007-1.29.1, grafana-6.7.4-4.12.1, grafana-natel-discrete-panel-0.0.9-3.3.6, openstack-cinder-11.2.3~dev29-3.28.2, openstack-cinder-doc-11.2.3~dev29-3.28.1, openstack-monasca-installer-20190923_16.32-3.15.1, openstack-neutron-11.0.9~dev69-3.37.2, openstack-neutron-doc-11.0.9~dev69-3.37.1, openstack-nova-16.1.9~dev76-3.39.2, openstack-nova-doc-16.1.9~dev76-3.39.1, python-Django-1.11.29-3.19.2, python-Flask-Cors-3.0.3-3.3.1, python-Pillow-4.2.1-3.9.2, python-ardana-packager-0.0.3-7.7.2, python-keystoneclient-3.13.1-3.3.2, python-keystonemiddleware-4.17.1-5.3.1, python-kombu-4.1.0-3.7.1, python-urllib3-1.22-5.12.1, release-notes-hpe-helion-openstack-8.20200922-3.23.1, storm-1.2.3-3.6.1, venv-openstack-aodh-5.1.1~dev7-12.28.1, venv-openstack-barbican-5.0.2~dev3-12.29.1, venv-openstack-ceilometer-9.0.8~dev7-12.26.1, venv-openstack-cinder-11.2.3~dev29-14.30.1, venv-openstack-designate-5.0.3~dev7-12.27.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.24.1, venv-openstack-glance-15.0.3~dev3-12.27.1, venv-openstack-heat-9.0.8~dev22-12.29.1, venv-openstack-horizon-hpe-12.0.5~dev3-14.32.1, venv-openstack-ironic-9.1.8~dev8-12.29.1, venv-openstack-keystone-12.0.4~dev11-11.30.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.28.1, venv-openstack-manila-5.1.1~dev5-12.33.1, venv-openstack-monasca-2.2.2~dev1-11.24.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.24.1, venv-openstack-murano-4.0.2~dev2-12.24.1, venv-openstack-neutron-11.0.9~dev69-13.32.1, venv-openstack-nova-16.1.9~dev76-11.30.1, venv-openstack-octavia-1.0.6~dev3-12.29.1, venv-openstack-sahara-7.0.5~dev4-11.28.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.21.1, venv-openstack-trove-8.0.2~dev2-11.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.