Bug 1187725 - (CVE-2021-3620) VUL-0: CVE-2021-3620: ansible1,ansible: ansible-connection module discloses sensitive info in traceback error message
(CVE-2021-3620)
VUL-0: CVE-2021-3620: ansible1,ansible: ansible-connection module discloses s...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Matej Cepl
Security Team bot
https://smash.suse.de/issue/302933/
CVSSv3.1:SUSE:CVE-2021-3620:6.5:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-06-25 15:06 UTC by Gianluca Gabrielli
Modified: 2022-08-08 11:05 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-06-25 15:06:02 UTC
A flaw was found in Ansible Engine's ansible-connection module  where sensitive info like the ansible user credentials are disclosed by default  in the traceback error message. The highest threat out of this vulnerability is to Confidentiality.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1975767
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3620
Comment 2 Gianluca Gabrielli 2021-06-28 09:29:49 UTC
Affected packages:
 - SUSE:SLE-11-SP3:Update:Teradata/ansible                      2.9.22
 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/ansible        2.9.22
 - SUSE:SLE-15:Update/ansible                                   2.9.21
 - SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update/ansible  2.9.21
 - openSUSE:Factory/ansible                                     2.9.23

Upstream patch [0].

[0] https://github.com/dalrrard/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fac0.patch
Comment 3 Gianluca Gabrielli 2021-08-20 10:32:56 UTC
The Ansible engineering team said that the current fix addresses (Partially) this specific issue. The correct fix is still under development [0] and will be included at earliest the Sept 13 with release of 2.9.26.

So, @Matej please hold on with this bug.

[0] https://github.com/ansible/ansible-stage/pull/46
Comment 4 Gianluca Gabrielli 2021-09-20 10:48:15 UTC
An update from RH [0] stands that the security bug was not addressed in 2.9.26 and it will in 2.9.27.

[0] https://bugzilla.redhat.com/show_bug.cgi?id=1975767#c21
Comment 5 Gianluca Gabrielli 2021-10-12 07:39:19 UTC
The patch is now available [0], can you please backport it?

[0] https://github.com/ansible/ansible/commit/555d1fb64d89d706c2e749c5551c089d6873acd5
Comment 9 Swamp Workflow Management 2021-12-22 14:32:57 UTC
SUSE-SU-2021:4152-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1176460,1187725,1188061
CVE References: CVE-2021-3583,CVE-2021-3620
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ansible-2.9.27-3.21.1
SUSE OpenStack Cloud 8 (src):    ansible-2.9.27-3.21.1
HPE Helion Openstack 8 (src):    ansible-2.9.27-3.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Gianluca Gabrielli 2022-03-29 16:11:39 UTC
Hi Matej,

are you responsible for SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update/ansible, it requires a submission as well.

Moreover, I don't see submissions for:
 - SUSE:SLE-11-SP3:Update:Teradata/ansible1
 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/ansible1