Bug 1181935 – VUL-0: CVE-2021-20228: ansible: basic.py no_log with fallback option

Bug 1181935 - (CVE-2021-20228) VUL-0: CVE-2021-20228: ansible: basic.py no_log with fallback option

(CVE-2021-20228)
Summary:	VUL-0: CVE-2021-20228: ansible: basic.py no_log with fallback option

Status:	IN_PROGRESS

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/277208/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-20228:5.0:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-02-08 10:26 UTC by Alexander Bergmann
Modified:	2022-09-08 13:46 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2021-02-08 10:26:12 UTC

rh#1925002

The return value of a specific module i.e. basic.py of ansible engine is not being masked by default while using the fallback sub-option.The return value may contain sensitive info like secret Or Credentials.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1925002
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20228

Comment 1 Marcus Meissner 2021-02-11 07:28:34 UTC

we actually ship ansible in SLES.

Comment 10 Swamp Workflow Management 2021-06-22 16:19:30 UTC

SUSE-SU-2021:2121-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1180816,1180942,1181119,1181935,1183684
CVE References: CVE-2021-20178,CVE-2021-20180,CVE-2021-20191,CVE-2021-20228,CVE-2021-3447
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ansible-2.9.22-3.18.1
SUSE OpenStack Cloud 8 (src):    ansible-2.9.22-3.18.1
HPE Helion Openstack 8 (src):    ansible-2.9.22-3.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Christian Almeida de Oliveira 2021-07-06 08:21:07 UTC

MU for affected SOC product released. Back to security team.

Comment 12 Swamp Workflow Management 2022-03-16 20:19:18 UTC

openSUSE-SU-2022:0081-1: An update that solves 26 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1099808,1112959,1118896,1126503,1137528,1157968,1157969,1164133,1164134,1164135,1164136,1164137,1164138,1164139,1164140,1165393,1166389,1167440,1167532,1167873,1171162,1174145,1174302,1180816,1180942,1181119,1181935
CVE References: CVE-2018-10875,CVE-2018-16837,CVE-2019-10156,CVE-2019-14846,CVE-2019-14904,CVE-2019-14905,CVE-2020-10684,CVE-2020-10685,CVE-2020-10691,CVE-2020-10729,CVE-2020-14330,CVE-2020-14332,CVE-2020-1733,CVE-2020-1734,CVE-2020-1735,CVE-2020-1736,CVE-2020-1737,CVE-2020-1738,CVE-2020-1739,CVE-2020-1740,CVE-2020-1746,CVE-2020-1753,CVE-2021-20178,CVE-2021-20180,CVE-2021-20191,CVE-2021-20228
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    ansible-2.9.21-bp153.2.3.1

Comment 15 Swamp Workflow Management 2022-09-08 13:46:04 UTC

SUSE-SU-2022:3178-1: An update that solves 7 vulnerabilities, contains three features and has 10 fixes is now available.

Category: security (important)
Bug References: 1176460,1180816,1180942,1181119,1181935,1183684,1187725,1188061,1193585,1197963,1199528,1200142,1200591,1200968,1200970,1201003,1202614
CVE References: CVE-2021-20178,CVE-2021-20180,CVE-2021-20191,CVE-2021-20228,CVE-2021-3447,CVE-2021-3583,CVE-2021-3620
JIRA References: SLE-23631,SLE-24133,SLE-24791
Sources used:
openSUSE Leap 15.4 (src):    ansible-2.9.27-150000.1.14.1, dracut-saltboot-0.1.1657643023.0d694ce-150000.1.35.1, golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.15.1, prometheus-blackbox_exporter-0.19.0-150000.1.11.1, python-hwdata-2.3.5-150000.3.9.1, spacecmd-4.3.14-150000.3.83.1, wire-0.5.0-150000.1.6.1
openSUSE Leap 15.3 (src):    ansible-2.9.27-150000.1.14.1, dracut-saltboot-0.1.1657643023.0d694ce-150000.1.35.1, golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.15.1, python-hwdata-2.3.5-150000.3.9.1, spacecmd-4.3.14-150000.3.83.1
SUSE Manager Tools 15 (src):    ansible-2.9.27-150000.1.14.1, dracut-saltboot-0.1.1657643023.0d694ce-150000.1.35.1, golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.15.1, mgr-daemon-4.3.5-150000.1.35.1, mgr-virtualization-4.3.6-150000.1.32.1, prometheus-blackbox_exporter-0.19.0-150000.1.11.1, python-hwdata-2.3.5-150000.3.9.1, spacecmd-4.3.14-150000.3.83.1, spacewalk-client-tools-4.3.11-150000.3.65.1, uyuni-common-libs-4.3.5-150000.1.24.1, uyuni-proxy-systemd-services-4.3.6-150000.1.6.1, zypp-plugin-spacewalk-1.0.13-150000.3.32.1
SUSE Linux Enterprise Server for SAP 15 (src):    golang-github-prometheus-node_exporter-1.3.0-150000.3.15.1
SUSE Linux Enterprise Server 15-LTSS (src):    golang-github-prometheus-node_exporter-1.3.0-150000.3.15.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (src):    golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.15.1, python-hwdata-2.3.5-150000.3.9.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.15.1, python-hwdata-2.3.5-150000.3.9.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    python-hwdata-2.3.5-150000.3.9.1
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3 (src):    ansible-2.9.27-150000.1.14.1, golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.15.1, prometheus-blackbox_exporter-0.19.0-150000.1.11.1, python-hwdata-2.3.5-150000.3.9.1, zypp-plugin-spacewalk-1.0.13-150000.3.32.1
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.2 (src):    ansible-2.9.27-150000.1.14.1, golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.15.1, prometheus-blackbox_exporter-0.19.0-150000.1.11.1, python-hwdata-2.3.5-150000.3.9.1, zypp-plugin-spacewalk-1.0.13-150000.3.32.1
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1 (src):    python-hwdata-2.3.5-150000.3.9.1, zypp-plugin-spacewalk-1.0.13-150000.3.32.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    golang-github-prometheus-node_exporter-1.3.0-150000.3.15.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    golang-github-prometheus-node_exporter-1.3.0-150000.3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.