Bugzilla – Bug 1118896
VUL-1: CVE-2018-16876: ansible: Information disclosure in vvv+ mode with no_log on
Last modified: 2022-03-16 20:17:20 UTC
rh#1657330 It was found that when a retry task in ansible run with -vvv fails, it will log the raw return code, stdout and stderr from ssh which could have contained sensitive data. Upstream patch: https://github.com/ansible/ansible/pull/49569/commits/4c6d714aefb05366cb329e139214c89ebb364899 References: https://bugzilla.redhat.com/show_bug.cgi?id=1657330 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16876 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16876
What versions of ansible does this effect?
SUSE:SLE-12-SP3:Update:Products:Cloud8:Update ansible 2.4.6.0 is affected the older ones do not have the verbose debug output.
We are only using Ansible 1.9 S | Name | Type | Version | Arch | Repository --+------------------------+------------+-------------------------------------------------------+--------+------------------------------- | ansible | package | 2.4.1.0-1.6 | noarch | OpenStack-Cloud-8-Pool name: ansible | ansible | package | 2.4.6.0-3.3.1 | noarch | OpenStack-Cloud-8-Updates name: ansible | ansible | srcpackage | 2.4.6.0-3.3.1 | noarch | OpenStack-Cloud-8-Updates name: ansible | ansible | package | 2.4.1.0-1.6 | noarch | SUSE-OpenStack-Cloud-8-Pool name: ansible | ansible | package | 2.4.6.0-3.3.1 | noarch | SUSE-OpenStack-Cloud-8-Updates name: ansible | ansible | srcpackage | 2.4.6.0-3.3.1 | noarch | SUSE-OpenStack-Cloud-8-Updates name: ansible i | ansible1 | package | 1.9.6-5.1 | noarch | OpenStack-Cloud-8-Pool name: ansible1 i | ansible1 | package | 1.9.6-5.1 | noarch | SUSE-OpenStack-Cloud-8-Pool name: ansible1 i | ansible1 | package | 1.9.6-5.1 | noarch | (System Packages) name: ansible1 does this still apply?
we're actually using ansible 2.4 in Crowbar.
The same vulnerability exists in ardana-ansible (CLM),w hcih is the default deployer tool in Cloud8: Fron ardana-ansible/connection_plugins/ssh.py: if p.returncode == 255: ip = None port = None for line in stderr.splitlines(): match = re.search( 'Connecting to .*\[(\d+\.\d+\.\d+\.\d+)\] port (\d+)', line) if match: ip = match.group(1) port = match.group(2) if 'UNPROTECTED PRIVATE KEY FILE' in stderr: lines = [line for line in stderr.splitlines() if 'ignore key:' in line] else: lines = stderr.splitlines()[-1:] if ip and port: lines.append(' while connecting to %s:%s' % (ip, port)) lines.append( 'It is sometimes useful to re-run the command using -vvvv, ' 'which prints SSH debug output to help diagnose the issue.') raise errors.AnsibleError('SSH Error: %s' % '\n'.join(lines))
see https://git.suse.provo.cloud/cgit/ardana/ardana-ansible/tree/connection_plugins/ssh.py?h=stable/pike#n415
(In reply to Marcus Meissner from comment #2) > SUSE:SLE-12-SP3:Update:Products:Cloud8:Update ansible 2.4.6.0 is affected > the older ones do not have the verbose debug output. I'm looking at the code for the fork of Ansible 1.9 we use in SUSE OpenStack Cloud 8 CLM. As Dirk mentioned, there is similar code that could also log the output, though there are many differences between the 1.9 and 2.4.6 versions. Was there another reason for your statement that "older ones" are not affected that I might be missing?
Note: one of the things refactored was the ssh.py location 1.9 ardana-ansible: connection_plugins/ssh.py 2.6.4 upstream ansible: lib/ansible/plugins/connection/ssh.py Unfortunately, the refactoring is so different that in 1.9 there isn't a self._play_context.no_log variable to reference for the message logic. I'll have to dig a bit more to determine if there is a direct analog. Or if the change is needed in the old version - the problem only would arise if someone was running a playbook with the -vvv command and was capturing the logs in a place they would access them, and on a cloud system they would have to have direct login access to the system to accomplish that.
openSUSE-SU-2019:1125-1: An update that solves 5 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1099808,1102126,1109957,1112959,1116587,1118896,1126503 CVE References: CVE-2018-10875,CVE-2018-16837,CVE-2018-16859,CVE-2018-16876,CVE-2019-3828 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): ansible-2.7.8-9.1 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
Joseph, any update on this problem? There is also another ansible issue at bsc#1126503, but it's still assigned to Cloud Bugs. Cloud you have a look?
No update, this has been too low priority to get any additional cycles.
openSUSE-SU-2019:1635-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1109957,1112959,1118896,1126503 CVE References: CVE-2018-16837,CVE-2018-16859,CVE-2018-16876,CVE-2019-3828 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): ansible-2.8.1-12.1
openSUSE-SU-2019:1635-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1109957,1112959,1118896,1126503 CVE References: CVE-2018-16837,CVE-2018-16859,CVE-2018-16876,CVE-2019-3828 Sources used: openSUSE Leap 42.3 (src): ansible-2.8.1-12.1 openSUSE Leap 15.1 (src): ansible-2.8.1-lp151.2.3.1 openSUSE Leap 15.0 (src): ansible-2.8.1-lp150.2.6.1 openSUSE Backports SLE-15 (src): ansible-2.8.1-bp150.3.9.1 SUSE Package Hub for SUSE Linux Enterprise 12 (src): ansible-2.8.1-12.1
openSUSE-SU-2019:1858-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1109957,1112959,1118896,1126503 CVE References: CVE-2018-16837,CVE-2018-16859,CVE-2018-16876,CVE-2019-3828 Sources used: openSUSE Backports SLE-15-SP1 (src): ansible-2.8.1-bp151.3.3.1
SUSE-SU-2020:3309-1: An update that solves 53 vulnerabilities, contains 14 features and has 5 fixes is now available. Category: security (important) Bug References: 1008037,1008038,1010940,1019021,1038785,1056094,1059235,1080682,1097775,1102126,1109957,1112959,1117080,1118896,1123561,1126503,1137479,1137528,1142121,1142542,1144453,1153452,1154231,1154232,1154830,1157968,1157969,1159447,1161919,1164133,1164134,1164135,1164136,1164137,1164138,1164139,1164140,1165022,1165393,1166389,1167440,1167532,1171162,1171823,1172450,1173413,1173416,1173418,1174006,1174145,1174242,1174302,1174583,1175484,1175986,1175993,1177120,1177948 CVE References: CVE-2016-8614,CVE-2016-8628,CVE-2016-8647,CVE-2016-9587,CVE-2017-7466,CVE-2017-7550,CVE-2018-10875,CVE-2018-11779,CVE-2018-16837,CVE-2018-16859,CVE-2018-16876,CVE-2018-18623,CVE-2018-18624,CVE-2018-18625,CVE-2019-0202,CVE-2019-10156,CVE-2019-10206,CVE-2019-10217,CVE-2019-14846,CVE-2019-14856,CVE-2019-14858,CVE-2019-14864,CVE-2019-14904,CVE-2019-14905,CVE-2019-19844,CVE-2019-3828,CVE-2020-10177,CVE-2020-10378,CVE-2020-10684,CVE-2020-10685,CVE-2020-10691,CVE-2020-10729,CVE-2020-10744,CVE-2020-10994,CVE-2020-11110,CVE-2020-14330,CVE-2020-14332,CVE-2020-14365,CVE-2020-1733,CVE-2020-1734,CVE-2020-1735,CVE-2020-1736,CVE-2020-1737,CVE-2020-17376,CVE-2020-1738,CVE-2020-1739,CVE-2020-1740,CVE-2020-1746,CVE-2020-1753,CVE-2020-25032,CVE-2020-26137,CVE-2020-7471,CVE-2020-9402 JIRA References: SOC-10300,SOC-10522,SOC-10616,SOC-11000,SOC-11223,SOC-11342,SOC-11352,SOC-11364,SOC-11386,SOC-11389,SOC-11391,SOC-6780,SOC-9974,SOC-9998 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): ansible-2.9.14-3.15.1, crowbar-core-5.0+git.1600432272.b3ad722f0-3.44.1, crowbar-openstack-5.0+git.1599037158.5c4d07480-4.43.1, documentation-suse-openstack-cloud-deployment-8.20201007-1.29.1, documentation-suse-openstack-cloud-supplement-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-admin-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-user-8.20201007-1.29.1, grafana-6.7.4-4.12.1, grafana-natel-discrete-panel-0.0.9-3.3.6, openstack-cinder-11.2.3~dev29-3.28.2, openstack-cinder-doc-11.2.3~dev29-3.28.1, openstack-monasca-installer-20190923_16.32-3.15.1, openstack-neutron-11.0.9~dev69-3.37.2, openstack-neutron-doc-11.0.9~dev69-3.37.1, openstack-nova-16.1.9~dev76-3.39.2, openstack-nova-doc-16.1.9~dev76-3.39.1, python-Django-1.11.29-3.19.2, python-Pillow-4.2.1-3.9.2, python-keystoneclient-3.13.1-3.3.2, python-keystonemiddleware-4.17.1-5.3.1, python-kombu-4.1.0-3.7.1, python-straight-plugin-1.5.0-1.3.1, python-urllib3-1.22-5.12.1, release-notes-suse-openstack-cloud-8.20200922-3.23.1, rubygem-crowbar-client-3.9.3-1.1, storm-1.2.3-3.6.1 SUSE OpenStack Cloud 8 (src): ansible-2.9.14-3.15.1, ardana-ansible-8.0+git.1596735237.54109b1-3.77.1, ardana-cinder-8.0+git.1596129856.263f430-3.43.1, ardana-glance-8.0+git.1593631779.76fa9b7-3.24.1, ardana-mq-8.0+git.1593618123.678c32b-3.26.1, ardana-nova-8.0+git.1601298847.dd01585-3.42.1, ardana-osconfig-8.0+git.1595885113.93abcbc-3.49.1, documentation-suse-openstack-cloud-installation-8.20201007-1.29.1, documentation-suse-openstack-cloud-operations-8.20201007-1.29.1, documentation-suse-openstack-cloud-opsconsole-8.20201007-1.29.1, documentation-suse-openstack-cloud-planning-8.20201007-1.29.1, documentation-suse-openstack-cloud-security-8.20201007-1.29.1, documentation-suse-openstack-cloud-supplement-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-admin-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-user-8.20201007-1.29.1, documentation-suse-openstack-cloud-user-8.20201007-1.29.1, grafana-6.7.4-4.12.1, grafana-natel-discrete-panel-0.0.9-3.3.6, openstack-cinder-11.2.3~dev29-3.28.2, openstack-cinder-doc-11.2.3~dev29-3.28.1, openstack-monasca-installer-20190923_16.32-3.15.1, openstack-neutron-11.0.9~dev69-3.37.2, openstack-neutron-doc-11.0.9~dev69-3.37.1, openstack-nova-16.1.9~dev76-3.39.2, openstack-nova-doc-16.1.9~dev76-3.39.1, python-Django-1.11.29-3.19.2, python-Flask-Cors-3.0.3-3.3.1, python-Pillow-4.2.1-3.9.2, python-ardana-packager-0.0.3-7.7.2, python-keystoneclient-3.13.1-3.3.2, python-keystonemiddleware-4.17.1-5.3.1, python-kombu-4.1.0-3.7.1, python-straight-plugin-1.5.0-1.3.1, python-urllib3-1.22-5.12.1, release-notes-suse-openstack-cloud-8.20200922-3.23.1, storm-1.2.3-3.6.1, venv-openstack-aodh-5.1.1~dev7-12.28.1, venv-openstack-barbican-5.0.2~dev3-12.29.1, venv-openstack-ceilometer-9.0.8~dev7-12.26.1, venv-openstack-cinder-11.2.3~dev29-14.30.1, venv-openstack-designate-5.0.3~dev7-12.27.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.24.1, venv-openstack-glance-15.0.3~dev3-12.27.1, venv-openstack-heat-9.0.8~dev22-12.29.1, venv-openstack-horizon-12.0.5~dev3-14.32.1, venv-openstack-ironic-9.1.8~dev8-12.29.1, venv-openstack-keystone-12.0.4~dev11-11.30.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.28.1, venv-openstack-manila-5.1.1~dev5-12.33.1, venv-openstack-monasca-2.2.2~dev1-11.24.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.24.1, venv-openstack-murano-4.0.2~dev2-12.24.1, venv-openstack-neutron-11.0.9~dev69-13.32.1, venv-openstack-nova-16.1.9~dev76-11.30.1, venv-openstack-octavia-1.0.6~dev3-12.29.1, venv-openstack-sahara-7.0.5~dev4-11.28.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.21.1, venv-openstack-trove-8.0.2~dev2-11.28.1 HPE Helion Openstack 8 (src): ansible-2.9.14-3.15.1, ardana-ansible-8.0+git.1596735237.54109b1-3.77.1, ardana-cinder-8.0+git.1596129856.263f430-3.43.1, ardana-glance-8.0+git.1593631779.76fa9b7-3.24.1, ardana-mq-8.0+git.1593618123.678c32b-3.26.1, ardana-nova-8.0+git.1601298847.dd01585-3.42.1, ardana-osconfig-8.0+git.1595885113.93abcbc-3.49.1, documentation-hpe-helion-openstack-installation-8.20201007-1.29.1, documentation-hpe-helion-openstack-operations-8.20201007-1.29.1, documentation-hpe-helion-openstack-opsconsole-8.20201007-1.29.1, documentation-hpe-helion-openstack-planning-8.20201007-1.29.1, documentation-hpe-helion-openstack-security-8.20201007-1.29.1, documentation-hpe-helion-openstack-user-8.20201007-1.29.1, grafana-6.7.4-4.12.1, grafana-natel-discrete-panel-0.0.9-3.3.6, openstack-cinder-11.2.3~dev29-3.28.2, openstack-cinder-doc-11.2.3~dev29-3.28.1, openstack-monasca-installer-20190923_16.32-3.15.1, openstack-neutron-11.0.9~dev69-3.37.2, openstack-neutron-doc-11.0.9~dev69-3.37.1, openstack-nova-16.1.9~dev76-3.39.2, openstack-nova-doc-16.1.9~dev76-3.39.1, python-Django-1.11.29-3.19.2, python-Flask-Cors-3.0.3-3.3.1, python-Pillow-4.2.1-3.9.2, python-ardana-packager-0.0.3-7.7.2, python-keystoneclient-3.13.1-3.3.2, python-keystonemiddleware-4.17.1-5.3.1, python-kombu-4.1.0-3.7.1, python-urllib3-1.22-5.12.1, release-notes-hpe-helion-openstack-8.20200922-3.23.1, storm-1.2.3-3.6.1, venv-openstack-aodh-5.1.1~dev7-12.28.1, venv-openstack-barbican-5.0.2~dev3-12.29.1, venv-openstack-ceilometer-9.0.8~dev7-12.26.1, venv-openstack-cinder-11.2.3~dev29-14.30.1, venv-openstack-designate-5.0.3~dev7-12.27.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.24.1, venv-openstack-glance-15.0.3~dev3-12.27.1, venv-openstack-heat-9.0.8~dev22-12.29.1, venv-openstack-horizon-hpe-12.0.5~dev3-14.32.1, venv-openstack-ironic-9.1.8~dev8-12.29.1, venv-openstack-keystone-12.0.4~dev11-11.30.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.28.1, venv-openstack-manila-5.1.1~dev5-12.33.1, venv-openstack-monasca-2.2.2~dev1-11.24.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.24.1, venv-openstack-murano-4.0.2~dev2-12.24.1, venv-openstack-neutron-11.0.9~dev69-13.32.1, venv-openstack-nova-16.1.9~dev76-11.30.1, venv-openstack-octavia-1.0.6~dev3-12.29.1, venv-openstack-sahara-7.0.5~dev4-11.28.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.21.1, venv-openstack-trove-8.0.2~dev2-11.28.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
DONE
openSUSE-SU-2022:0081-1: An update that solves 26 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1099808,1112959,1118896,1126503,1137528,1157968,1157969,1164133,1164134,1164135,1164136,1164137,1164138,1164139,1164140,1165393,1166389,1167440,1167532,1167873,1171162,1174145,1174302,1180816,1180942,1181119,1181935 CVE References: CVE-2018-10875,CVE-2018-16837,CVE-2019-10156,CVE-2019-14846,CVE-2019-14904,CVE-2019-14905,CVE-2020-10684,CVE-2020-10685,CVE-2020-10691,CVE-2020-10729,CVE-2020-14330,CVE-2020-14332,CVE-2020-1733,CVE-2020-1734,CVE-2020-1735,CVE-2020-1736,CVE-2020-1737,CVE-2020-1738,CVE-2020-1739,CVE-2020-1740,CVE-2020-1746,CVE-2020-1753,CVE-2021-20178,CVE-2021-20180,CVE-2021-20191,CVE-2021-20228 JIRA References: Sources used: openSUSE Backports SLE-15-SP3 (src): ansible-2.9.21-bp153.2.3.1