Bug 1219002 (CVE-2024-0690)

Summary: VUL-0: CVE-2024-0690: ansible: possible information leak in tasks that ignore ANSIBLE_NO_LOG configuration
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: cloud-bugs, gianluca.gabrielli, stoyan.manolov
Version: unspecifiedFlags: stoyan.manolov: needinfo? (cloud-bugs)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/391683/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-0690:5.1:(AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-01-19 13:42:14 UTC 
The `ANSIBLE_NO_LOG` environment variable configuration is currently being ignored. This impacts ansible-core 2.14, 2.15, and 2.16 supported releases (present in AAP 2.3 and 2.4)

There are workarounds, such as explicitly setting `no_log` within the playbook, but anyone relying on a global configuration is impacted.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0690
https://bugzilla.redhat.com/show_bug.cgi?id=2259013
Comment 1 Gianluca Gabrielli 2024-01-19 13:44:00 UTC 
Affected packages:
 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/ansible
 - SUSE:SLE-15:Update/ansible
 - openSUSE:Backports:SLE-15-SP4/ansible
 - openSUSE:Backports:SLE-15-SP5/ansible
 - SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update/ansible

Upstream patch: https://github.com/ansible/ansible/commit/b9a03bbf5a63459468baf8895ff74a62e9be4532.patch#/CVE-2024-0690.patch
Comment 3 Christian Almeida de Oliveira 2024-02-16 07:22:17 UTC 
SOC products are under LTSS which means that only CVE's with a cvss higher than 7 are taken into account for fix. This is not the case for this CVE.
Back to Security team.
Comment 6 Maintenance Automation 2024-04-24 12:30:07 UTC 
SUSE-SU-2024:1427-1: An update that solves eight vulnerabilities, contains one feature and has 11 security fixes can now be installed.

Category: security (moderate)
Bug References: 1008037, 1008038, 1010940, 1019021, 1038785, 1059235, 1099805, 1166389, 1171823, 1174145, 1174302, 1175993, 1177948, 1216854, 1219002, 1219887, 1219912, 1220371, 1221092
CVE References: CVE-2016-8647, CVE-2016-9587, CVE-2017-7550, CVE-2018-10874, CVE-2020-14365, CVE-2023-5764, CVE-2023-6152, CVE-2024-0690
Jira References: MSQA-759
Maintenance Incident: [SUSE:Maintenance:33400](https://smelt.suse.de/incident/33400/)
Sources used:
SUSE Manager Client Tools Beta for SLE 15 (src):
 ansible-2.9.27-159000.3.12.2, spacecmd-5.0.5-159000.6.48.2, grafana-9.5.16-159000.4.30.2, supportutils-plugin-susemanager-client-5.0.3-159000.6.21.2, uyuni-tools-0.1.7-159000.3.8.1, POS_Image-Graphical7-0.1.1710765237.46af599-159000.3.24.2, dracut-saltboot-0.1.1710765237.46af599-159000.3.33.2, spacewalk-client-tools-5.0.4-159000.6.54.2, POS_Image-JeOS7-0.1.1710765237.46af599-159000.3.24.2
SUSE Manager Client Tools Beta for SLE Micro 5 (src):
 golang-github-prometheus-node_exporter-1.5.0-159000.6.2.1, uyuni-tools-0.1.7-159000.3.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Maintenance Automation 2024-05-06 12:31:08 UTC 
SUSE-SU-2024:1509-1: An update that solves 15 vulnerabilities, contains one feature and has four security fixes can now be installed.

Category: security (important)
Bug References: 1008037, 1008038, 1010940, 1019021, 1038785, 1059235, 1099805, 1166389, 1171823, 1174145, 1174302, 1175993, 1177948, 1216854, 1219002, 1219912, 1221092, 1221465, 1222155
CVE References: CVE-2016-8614, CVE-2016-8628, CVE-2016-8647, CVE-2016-9587, CVE-2017-7550, CVE-2018-10874, CVE-2020-10744, CVE-2020-14330, CVE-2020-14332, CVE-2020-14365, CVE-2020-1753, CVE-2023-5764, CVE-2023-6152, CVE-2024-0690, CVE-2024-1313
Jira References: MSQA-760
Maintenance Incident: [SUSE:Maintenance:33434](https://smelt.suse.de/incident/33434/)
Sources used:
openSUSE Leap 15.5 (src):
 spacecmd-4.3.27-150000.3.116.2, POS_Image-JeOS7-0.1.1710765237.46af599-150000.1.21.2, ansible-2.9.27-150000.1.17.2, POS_Image-Graphical7-0.1.1710765237.46af599-150000.1.21.2, dracut-saltboot-0.1.1710765237.46af599-150000.1.53.2, golang-github-prometheus-promu-0.14.0-150000.3.18.2
SUSE Manager Client Tools for SLE 15 (src):
 POS_Image-JeOS7-0.1.1710765237.46af599-150000.1.21.2, ansible-2.9.27-150000.1.17.2, spacewalk-client-tools-4.3.19-150000.3.89.2, uyuni-common-libs-4.3.10-150000.1.39.2, uyuni-proxy-systemd-services-4.3.12-150000.1.21.2, mgr-daemon-4.3.9-150000.1.47.2, spacewalk-koan-4.3.6-150000.3.33.2, spacecmd-4.3.27-150000.3.116.2, POS_Image-Graphical7-0.1.1710765237.46af599-150000.1.21.2, dracut-saltboot-0.1.1710765237.46af599-150000.1.53.2, grafana-9.5.18-150000.1.63.2
SUSE Manager Client Tools for SLE Micro 5 (src):
 uyuni-proxy-systemd-services-4.3.12-150000.1.21.2, dracut-saltboot-0.1.1710765237.46af599-150000.1.53.2
SUSE Package Hub 15 15-SP5 (src):
 golang-github-prometheus-promu-0.14.0-150000.3.18.2
SUSE Manager Proxy 4.3 Module 4.3 (src):
 ansible-2.9.27-150000.1.17.2, uyuni-proxy-systemd-services-4.3.12-150000.1.21.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Thomas Leroy 2024-07-05 15:25:00 UTC 
All done, closing.