Bug 1187725 (CVE-2021-3620)

Summary: VUL-0: CVE-2021-3620: ansible1,ansible: ansible-connection module discloses sensitive info in traceback error message
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: Matej Cepl <mcepl>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: cloud-bugs, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/302933/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-3620:6.5:(AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gianluca Gabrielli 2021-06-25 15:06:02 UTC
A flaw was found in Ansible Engine's ansible-connection module  where sensitive info like the ansible user credentials are disclosed by default  in the traceback error message. The highest threat out of this vulnerability is to Confidentiality.

Comment 2 Gianluca Gabrielli 2021-06-28 09:29:49 UTC
Affected packages:
 - SUSE:SLE-11-SP3:Update:Teradata/ansible                      2.9.22
 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/ansible        2.9.22
 - SUSE:SLE-15:Update/ansible                                   2.9.21
 - SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update/ansible  2.9.21
 - openSUSE:Factory/ansible                                     2.9.23

Upstream patch [0].

[0] https://github.com/dalrrard/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fac0.patch
Comment 3 Gianluca Gabrielli 2021-08-20 10:32:56 UTC
The Ansible engineering team said that the current fix addresses (Partially) this specific issue. The correct fix is still under development [0] and will be included at earliest the Sept 13 with release of 2.9.26.

So, @Matej please hold on with this bug.

[0] https://github.com/ansible/ansible-stage/pull/46
Comment 4 Gianluca Gabrielli 2021-09-20 10:48:15 UTC
An update from RH [0] stands that the security bug was not addressed in 2.9.26 and it will in 2.9.27.

[0] https://bugzilla.redhat.com/show_bug.cgi?id=1975767#c21
Comment 5 Gianluca Gabrielli 2021-10-12 07:39:19 UTC
The patch is now available [0], can you please backport it?

[0] https://github.com/ansible/ansible/commit/555d1fb64d89d706c2e749c5551c089d6873acd5
Comment 9 Swamp Workflow Management 2021-12-22 14:32:57 UTC
SUSE-SU-2021:4152-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1176460,1187725,1188061
CVE References: CVE-2021-3583,CVE-2021-3620
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ansible-2.9.27-3.21.1
SUSE OpenStack Cloud 8 (src):    ansible-2.9.27-3.21.1
HPE Helion Openstack 8 (src):    ansible-2.9.27-3.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Gianluca Gabrielli 2022-03-29 16:11:39 UTC
Hi Matej,

are you responsible for SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update/ansible, it requires a submission as well.

Moreover, I don't see submissions for:
 - SUSE:SLE-11-SP3:Update:Teradata/ansible1
 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/ansible1