Bug 1065872 – VUL-0: CVE-2017-7550 ansible: jenkins_plugin module exposes passwords in remote host logs

Bug 1065872 - (CVE-2017-7550) VUL-0: CVE-2017-7550 ansible: jenkins_plugin module exposes passwords in remote host logs

(CVE-2017-7550)
Summary:	VUL-0: CVE-2017-7550 ansible: jenkins_plugin module exposes passwords in remo...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/192463/
Whiteboard:	CVSSv3:NVD:CVE-2017-7550:9.8:(AV:N/AC...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-10-31 15:36 UTC by Andreas Stieger
Modified:	2022-04-12 15:14 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2017-10-31 15:36:58 UTC

https://github.com/ansible/ansible/blob/v2.4.1.0-1/CHANGELOG.md

Security fix for CVE-2017-7550: the jenkins_plugin module was logging the jenkins server password if the url_password was passed via the params field: https://github.com/ansible/ansible/pull/30875

The fix is to disallow url_password in the module params + doc update.
https://github.com/ansible/ansible/pull/30875/commits/c80415389a13c2c3373966c736691dff493aab34

Fixed in 2.4.1.0

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1473645
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7550
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7550.html
https://rhn.redhat.com/errata/RHSA-2017-2966.html
https://access.redhat.com/errata/RHSA-2017:2966
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7550

Comment 1 Swamp Workflow Management 2017-11-10 17:11:21 UTC

openSUSE-SU-2017:2976-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1008037,1008038,1019021,1038785,1065872
CVE References: CVE-2016-8614,CVE-2016-8628,CVE-2016-9587,CVE-2017-7481,CVE-2017-7550
Sources used:
openSUSE Leap 42.3 (src):    ansible-2.4.1.0-6.1
openSUSE Leap 42.2 (src):    ansible-2.4.1.0-2.4.1

Comment 2 Swamp Workflow Management 2017-11-10 17:12:22 UTC

openSUSE-SU-2017:2978-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1008037,1008038,1019021,1038785,1065872
CVE References: CVE-2016-8614,CVE-2016-8628,CVE-2016-9587,CVE-2017-7481,CVE-2017-7550
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    ansible-2.4.1.0-6.1

Comment 6 Tomáš Chvátal 2018-01-25 16:28:59 UTC

Well the submission for TD is in place so nothing more should be needed from pack team.

Comment 7 Marcus Meissner 2018-01-26 07:11:28 UTC

Cloud 7

OpenStack-Cloud_7                       SUSE:SLE-12-SP2:Update:Products:Cloud7:Update

Comment 9 Dirk Mueller 2018-02-09 08:54:41 UTC

this has been submitted as far as I can see. I've updated the version for cloud 8 (crowbar). SOC8 remains affected.

Comment 12 Swamp Workflow Management 2018-03-05 14:12:31 UTC

SUSE-SU-2018:0605-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1065872
CVE References: CVE-2017-7550
Sources used:
SUSE OpenStack Cloud 7 (src):    ansible-2.2.3.0-9.1

Comment 13 Marcus Meissner 2018-09-07 14:39:23 UTC

done