Bug 1118896 - (CVE-2018-16876) VUL-1: CVE-2018-16876: ansible: Information disclosure in vvv+ mode with no_log on
(CVE-2018-16876)
VUL-1: CVE-2018-16876: ansible: Information disclosure in vvv+ mode with no_l...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/220519/
CVSSv3:SUSE:CVE-2018-16876:3.1:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-12-10 07:07 UTC by Marcus Meissner
Modified: 2022-03-16 20:17 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-12-10 07:07:24 UTC
rh#1657330


It was found that when a retry task in ansible run with -vvv fails, it will log the raw return code, stdout and stderr from ssh which could have contained sensitive data.

Upstream patch:

https://github.com/ansible/ansible/pull/49569/commits/4c6d714aefb05366cb329e139214c89ebb364899

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1657330
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16876
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16876
Comment 1 Keith Berger 2018-12-10 16:19:04 UTC
What versions of ansible does this effect?
Comment 2 Marcus Meissner 2018-12-21 08:10:03 UTC
SUSE:SLE-12-SP3:Update:Products:Cloud8:Update ansible 2.4.6.0 is affected
the older ones do not have the verbose debug output.
Comment 3 Keith Berger 2018-12-21 15:03:57 UTC
We are only using Ansible 1.9

S | Name                   | Type       | Version                                               | Arch   | Repository
--+------------------------+------------+-------------------------------------------------------+--------+-------------------------------
  | ansible                | package    | 2.4.1.0-1.6                                           | noarch | OpenStack-Cloud-8-Pool
    name: ansible
  | ansible                | package    | 2.4.6.0-3.3.1                                         | noarch | OpenStack-Cloud-8-Updates
    name: ansible
  | ansible                | srcpackage | 2.4.6.0-3.3.1                                         | noarch | OpenStack-Cloud-8-Updates
    name: ansible
  | ansible                | package    | 2.4.1.0-1.6                                           | noarch | SUSE-OpenStack-Cloud-8-Pool
    name: ansible
  | ansible                | package    | 2.4.6.0-3.3.1                                         | noarch | SUSE-OpenStack-Cloud-8-Updates
    name: ansible
  | ansible                | srcpackage | 2.4.6.0-3.3.1                                         | noarch | SUSE-OpenStack-Cloud-8-Updates
    name: ansible
i | ansible1               | package    | 1.9.6-5.1                                             | noarch | OpenStack-Cloud-8-Pool
    name: ansible1
i | ansible1               | package    | 1.9.6-5.1                                             | noarch | SUSE-OpenStack-Cloud-8-Pool
    name: ansible1
i | ansible1               | package    | 1.9.6-5.1                                             | noarch | (System Packages)
    name: ansible1


does this still apply?
Comment 4 Dirk Mueller 2018-12-21 15:15:46 UTC
we're actually using ansible 2.4 in Crowbar.
Comment 5 Dirk Mueller 2018-12-21 15:33:51 UTC
The same vulnerability exists in ardana-ansible (CLM),w hcih is the default deployer tool in Cloud8:

Fron ardana-ansible/connection_plugins/ssh.py:

        if p.returncode == 255:
            ip = None
            port = None
            for line in stderr.splitlines():
                match = re.search(
                    'Connecting to .*\[(\d+\.\d+\.\d+\.\d+)\] port (\d+)',
                    line)
                if match:
                    ip = match.group(1)
                    port = match.group(2)
            if 'UNPROTECTED PRIVATE KEY FILE' in stderr:
                lines = [line for line in stderr.splitlines()
                         if 'ignore key:' in line]
            else:   
                lines = stderr.splitlines()[-1:]
            if ip and port:
                lines.append('    while connecting to %s:%s' % (ip, port))
            lines.append(
                'It is sometimes useful to re-run the command using -vvvv, '
                'which prints SSH debug output to help diagnose the issue.')
            raise errors.AnsibleError('SSH Error: %s' % '\n'.join(lines))
Comment 7 Joseph Davis 2019-01-02 23:41:52 UTC
(In reply to Marcus Meissner from comment #2)
> SUSE:SLE-12-SP3:Update:Products:Cloud8:Update ansible 2.4.6.0 is affected
> the older ones do not have the verbose debug output.

I'm looking at the code for the fork of Ansible 1.9 we use in SUSE OpenStack Cloud 8 CLM.  As Dirk mentioned, there is similar code that could also log the output, though there are many differences between the 1.9 and 2.4.6 versions.  Was there another reason for your statement that "older ones" are not affected that I might be missing?
Comment 8 Joseph Davis 2019-01-03 05:21:50 UTC
Note: one of the things refactored was the ssh.py location
1.9 ardana-ansible: connection_plugins/ssh.py
2.6.4 upstream ansible: lib/ansible/plugins/connection/ssh.py

Unfortunately, the refactoring is so different that in 1.9 there isn't a self._play_context.no_log variable to reference for the message logic. I'll have to dig a bit more to determine if there is a direct analog. Or if the change is needed in the old version - the problem only would arise if someone was running a playbook with the -vvv command and was capturing the logs in a place they would access them, and on a cloud system they would have to have direct login access to the system to accomplish that.
Comment 9 Swamp Workflow Management 2019-04-03 07:11:04 UTC
openSUSE-SU-2019:1125-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1099808,1102126,1109957,1112959,1116587,1118896,1126503
CVE References: CVE-2018-10875,CVE-2018-16837,CVE-2018-16859,CVE-2018-16876,CVE-2019-3828
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    ansible-2.7.8-9.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 10 Alexander Bergmann 2019-04-12 10:05:07 UTC
Joseph, any update on this problem?

There is also another ansible issue at bsc#1126503, but it's still assigned to Cloud Bugs. Cloud you have a look?
Comment 11 Joseph Davis 2019-04-12 15:43:28 UTC
No update, this has been too low priority to get any additional cycles.
Comment 13 Swamp Workflow Management 2019-06-27 10:26:49 UTC
openSUSE-SU-2019:1635-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1109957,1112959,1118896,1126503
CVE References: CVE-2018-16837,CVE-2018-16859,CVE-2018-16876,CVE-2019-3828
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    ansible-2.8.1-12.1
Comment 14 Swamp Workflow Management 2019-06-27 10:29:27 UTC
openSUSE-SU-2019:1635-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1109957,1112959,1118896,1126503
CVE References: CVE-2018-16837,CVE-2018-16859,CVE-2018-16876,CVE-2019-3828
Sources used:
openSUSE Leap 42.3 (src):    ansible-2.8.1-12.1
openSUSE Leap 15.1 (src):    ansible-2.8.1-lp151.2.3.1
openSUSE Leap 15.0 (src):    ansible-2.8.1-lp150.2.6.1
openSUSE Backports SLE-15 (src):    ansible-2.8.1-bp150.3.9.1
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    ansible-2.8.1-12.1
Comment 16 Swamp Workflow Management 2019-08-14 07:17:00 UTC
openSUSE-SU-2019:1858-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1109957,1112959,1118896,1126503
CVE References: CVE-2018-16837,CVE-2018-16859,CVE-2018-16876,CVE-2019-3828
Sources used:
openSUSE Backports SLE-15-SP1 (src):    ansible-2.8.1-bp151.3.3.1
Comment 25 Swamp Workflow Management 2020-11-12 17:20:50 UTC
SUSE-SU-2020:3309-1: An update that solves 53 vulnerabilities, contains 14 features and has 5 fixes is now available.

Category: security (important)
Bug References: 1008037,1008038,1010940,1019021,1038785,1056094,1059235,1080682,1097775,1102126,1109957,1112959,1117080,1118896,1123561,1126503,1137479,1137528,1142121,1142542,1144453,1153452,1154231,1154232,1154830,1157968,1157969,1159447,1161919,1164133,1164134,1164135,1164136,1164137,1164138,1164139,1164140,1165022,1165393,1166389,1167440,1167532,1171162,1171823,1172450,1173413,1173416,1173418,1174006,1174145,1174242,1174302,1174583,1175484,1175986,1175993,1177120,1177948
CVE References: CVE-2016-8614,CVE-2016-8628,CVE-2016-8647,CVE-2016-9587,CVE-2017-7466,CVE-2017-7550,CVE-2018-10875,CVE-2018-11779,CVE-2018-16837,CVE-2018-16859,CVE-2018-16876,CVE-2018-18623,CVE-2018-18624,CVE-2018-18625,CVE-2019-0202,CVE-2019-10156,CVE-2019-10206,CVE-2019-10217,CVE-2019-14846,CVE-2019-14856,CVE-2019-14858,CVE-2019-14864,CVE-2019-14904,CVE-2019-14905,CVE-2019-19844,CVE-2019-3828,CVE-2020-10177,CVE-2020-10378,CVE-2020-10684,CVE-2020-10685,CVE-2020-10691,CVE-2020-10729,CVE-2020-10744,CVE-2020-10994,CVE-2020-11110,CVE-2020-14330,CVE-2020-14332,CVE-2020-14365,CVE-2020-1733,CVE-2020-1734,CVE-2020-1735,CVE-2020-1736,CVE-2020-1737,CVE-2020-17376,CVE-2020-1738,CVE-2020-1739,CVE-2020-1740,CVE-2020-1746,CVE-2020-1753,CVE-2020-25032,CVE-2020-26137,CVE-2020-7471,CVE-2020-9402
JIRA References: SOC-10300,SOC-10522,SOC-10616,SOC-11000,SOC-11223,SOC-11342,SOC-11352,SOC-11364,SOC-11386,SOC-11389,SOC-11391,SOC-6780,SOC-9974,SOC-9998
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ansible-2.9.14-3.15.1, crowbar-core-5.0+git.1600432272.b3ad722f0-3.44.1, crowbar-openstack-5.0+git.1599037158.5c4d07480-4.43.1, documentation-suse-openstack-cloud-deployment-8.20201007-1.29.1, documentation-suse-openstack-cloud-supplement-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-admin-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-user-8.20201007-1.29.1, grafana-6.7.4-4.12.1, grafana-natel-discrete-panel-0.0.9-3.3.6, openstack-cinder-11.2.3~dev29-3.28.2, openstack-cinder-doc-11.2.3~dev29-3.28.1, openstack-monasca-installer-20190923_16.32-3.15.1, openstack-neutron-11.0.9~dev69-3.37.2, openstack-neutron-doc-11.0.9~dev69-3.37.1, openstack-nova-16.1.9~dev76-3.39.2, openstack-nova-doc-16.1.9~dev76-3.39.1, python-Django-1.11.29-3.19.2, python-Pillow-4.2.1-3.9.2, python-keystoneclient-3.13.1-3.3.2, python-keystonemiddleware-4.17.1-5.3.1, python-kombu-4.1.0-3.7.1, python-straight-plugin-1.5.0-1.3.1, python-urllib3-1.22-5.12.1, release-notes-suse-openstack-cloud-8.20200922-3.23.1, rubygem-crowbar-client-3.9.3-1.1, storm-1.2.3-3.6.1
SUSE OpenStack Cloud 8 (src):    ansible-2.9.14-3.15.1, ardana-ansible-8.0+git.1596735237.54109b1-3.77.1, ardana-cinder-8.0+git.1596129856.263f430-3.43.1, ardana-glance-8.0+git.1593631779.76fa9b7-3.24.1, ardana-mq-8.0+git.1593618123.678c32b-3.26.1, ardana-nova-8.0+git.1601298847.dd01585-3.42.1, ardana-osconfig-8.0+git.1595885113.93abcbc-3.49.1, documentation-suse-openstack-cloud-installation-8.20201007-1.29.1, documentation-suse-openstack-cloud-operations-8.20201007-1.29.1, documentation-suse-openstack-cloud-opsconsole-8.20201007-1.29.1, documentation-suse-openstack-cloud-planning-8.20201007-1.29.1, documentation-suse-openstack-cloud-security-8.20201007-1.29.1, documentation-suse-openstack-cloud-supplement-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-admin-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-user-8.20201007-1.29.1, documentation-suse-openstack-cloud-user-8.20201007-1.29.1, grafana-6.7.4-4.12.1, grafana-natel-discrete-panel-0.0.9-3.3.6, openstack-cinder-11.2.3~dev29-3.28.2, openstack-cinder-doc-11.2.3~dev29-3.28.1, openstack-monasca-installer-20190923_16.32-3.15.1, openstack-neutron-11.0.9~dev69-3.37.2, openstack-neutron-doc-11.0.9~dev69-3.37.1, openstack-nova-16.1.9~dev76-3.39.2, openstack-nova-doc-16.1.9~dev76-3.39.1, python-Django-1.11.29-3.19.2, python-Flask-Cors-3.0.3-3.3.1, python-Pillow-4.2.1-3.9.2, python-ardana-packager-0.0.3-7.7.2, python-keystoneclient-3.13.1-3.3.2, python-keystonemiddleware-4.17.1-5.3.1, python-kombu-4.1.0-3.7.1, python-straight-plugin-1.5.0-1.3.1, python-urllib3-1.22-5.12.1, release-notes-suse-openstack-cloud-8.20200922-3.23.1, storm-1.2.3-3.6.1, venv-openstack-aodh-5.1.1~dev7-12.28.1, venv-openstack-barbican-5.0.2~dev3-12.29.1, venv-openstack-ceilometer-9.0.8~dev7-12.26.1, venv-openstack-cinder-11.2.3~dev29-14.30.1, venv-openstack-designate-5.0.3~dev7-12.27.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.24.1, venv-openstack-glance-15.0.3~dev3-12.27.1, venv-openstack-heat-9.0.8~dev22-12.29.1, venv-openstack-horizon-12.0.5~dev3-14.32.1, venv-openstack-ironic-9.1.8~dev8-12.29.1, venv-openstack-keystone-12.0.4~dev11-11.30.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.28.1, venv-openstack-manila-5.1.1~dev5-12.33.1, venv-openstack-monasca-2.2.2~dev1-11.24.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.24.1, venv-openstack-murano-4.0.2~dev2-12.24.1, venv-openstack-neutron-11.0.9~dev69-13.32.1, venv-openstack-nova-16.1.9~dev76-11.30.1, venv-openstack-octavia-1.0.6~dev3-12.29.1, venv-openstack-sahara-7.0.5~dev4-11.28.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.21.1, venv-openstack-trove-8.0.2~dev2-11.28.1
HPE Helion Openstack 8 (src):    ansible-2.9.14-3.15.1, ardana-ansible-8.0+git.1596735237.54109b1-3.77.1, ardana-cinder-8.0+git.1596129856.263f430-3.43.1, ardana-glance-8.0+git.1593631779.76fa9b7-3.24.1, ardana-mq-8.0+git.1593618123.678c32b-3.26.1, ardana-nova-8.0+git.1601298847.dd01585-3.42.1, ardana-osconfig-8.0+git.1595885113.93abcbc-3.49.1, documentation-hpe-helion-openstack-installation-8.20201007-1.29.1, documentation-hpe-helion-openstack-operations-8.20201007-1.29.1, documentation-hpe-helion-openstack-opsconsole-8.20201007-1.29.1, documentation-hpe-helion-openstack-planning-8.20201007-1.29.1, documentation-hpe-helion-openstack-security-8.20201007-1.29.1, documentation-hpe-helion-openstack-user-8.20201007-1.29.1, grafana-6.7.4-4.12.1, grafana-natel-discrete-panel-0.0.9-3.3.6, openstack-cinder-11.2.3~dev29-3.28.2, openstack-cinder-doc-11.2.3~dev29-3.28.1, openstack-monasca-installer-20190923_16.32-3.15.1, openstack-neutron-11.0.9~dev69-3.37.2, openstack-neutron-doc-11.0.9~dev69-3.37.1, openstack-nova-16.1.9~dev76-3.39.2, openstack-nova-doc-16.1.9~dev76-3.39.1, python-Django-1.11.29-3.19.2, python-Flask-Cors-3.0.3-3.3.1, python-Pillow-4.2.1-3.9.2, python-ardana-packager-0.0.3-7.7.2, python-keystoneclient-3.13.1-3.3.2, python-keystonemiddleware-4.17.1-5.3.1, python-kombu-4.1.0-3.7.1, python-urllib3-1.22-5.12.1, release-notes-hpe-helion-openstack-8.20200922-3.23.1, storm-1.2.3-3.6.1, venv-openstack-aodh-5.1.1~dev7-12.28.1, venv-openstack-barbican-5.0.2~dev3-12.29.1, venv-openstack-ceilometer-9.0.8~dev7-12.26.1, venv-openstack-cinder-11.2.3~dev29-14.30.1, venv-openstack-designate-5.0.3~dev7-12.27.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.24.1, venv-openstack-glance-15.0.3~dev3-12.27.1, venv-openstack-heat-9.0.8~dev22-12.29.1, venv-openstack-horizon-hpe-12.0.5~dev3-14.32.1, venv-openstack-ironic-9.1.8~dev8-12.29.1, venv-openstack-keystone-12.0.4~dev11-11.30.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.28.1, venv-openstack-manila-5.1.1~dev5-12.33.1, venv-openstack-monasca-2.2.2~dev1-11.24.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.24.1, venv-openstack-murano-4.0.2~dev2-12.24.1, venv-openstack-neutron-11.0.9~dev69-13.32.1, venv-openstack-nova-16.1.9~dev76-11.30.1, venv-openstack-octavia-1.0.6~dev3-12.29.1, venv-openstack-sahara-7.0.5~dev4-11.28.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.21.1, venv-openstack-trove-8.0.2~dev2-11.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Alexandros Toptsoglou 2021-01-27 17:06:23 UTC
DONE
Comment 29 Swamp Workflow Management 2022-03-16 20:17:20 UTC
openSUSE-SU-2022:0081-1: An update that solves 26 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1099808,1112959,1118896,1126503,1137528,1157968,1157969,1164133,1164134,1164135,1164136,1164137,1164138,1164139,1164140,1165393,1166389,1167440,1167532,1167873,1171162,1174145,1174302,1180816,1180942,1181119,1181935
CVE References: CVE-2018-10875,CVE-2018-16837,CVE-2019-10156,CVE-2019-14846,CVE-2019-14904,CVE-2019-14905,CVE-2020-10684,CVE-2020-10685,CVE-2020-10691,CVE-2020-10729,CVE-2020-14330,CVE-2020-14332,CVE-2020-1733,CVE-2020-1734,CVE-2020-1735,CVE-2020-1736,CVE-2020-1737,CVE-2020-1738,CVE-2020-1739,CVE-2020-1740,CVE-2020-1746,CVE-2020-1753,CVE-2021-20178,CVE-2021-20180,CVE-2021-20191,CVE-2021-20228
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    ansible-2.9.21-bp153.2.3.1