Action not permitted
Modal body text goes here.
cve-2018-10855
Vulnerability from cvelistv5
Published
2018-07-02 18:00
Modified
2024-08-05 07:46
Severity ?
EPSS score ?
Summary
Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/errata/RHBA-2018:3788 | Vendor Advisory | |
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2018:1948 | Vendor Advisory | |
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2018:1949 | Vendor Advisory | |
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2018:2022 | Vendor Advisory | |
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2018:2079 | Vendor Advisory | |
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2018:2184 | Vendor Advisory | |
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2018:2585 | Vendor Advisory | |
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2019:0054 | Vendor Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855 | Issue Tracking, Vendor Advisory | |
| secalert@redhat.com | https://usn.ubuntu.com/4072-1/ | Third Party Advisory | |
| secalert@redhat.com | https://www.debian.org/security/2019/dsa-4396 | Third Party Advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:46:47.397Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2018:1949",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1949"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855"
},
{
"name": "RHBA-2018:3788",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHBA-2018:3788"
},
{
"name": "RHSA-2018:1948",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1948"
},
{
"name": "RHSA-2018:2184",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2184"
},
{
"name": "RHSA-2018:2022",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2022"
},
{
"name": "RHSA-2019:0054",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0054"
},
{
"name": "RHSA-2018:2079",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2079"
},
{
"name": "RHSA-2018:2585",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2585"
},
{
"name": "DSA-4396",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2019/dsa-4396"
},
{
"name": "USN-4072-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4072-1/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ansible",
"vendor": "[UNKNOWN]",
"versions": [
{
"status": "affected",
"version": "Ansible 2.4.5"
},
{
"status": "affected",
"version": "Ansible 2.5.5"
}
]
}
],
"datePublic": "2018-06-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-25T01:06:04",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2018:1949",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1949"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855"
},
{
"name": "RHBA-2018:3788",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHBA-2018:3788"
},
{
"name": "RHSA-2018:1948",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1948"
},
{
"name": "RHSA-2018:2184",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2184"
},
{
"name": "RHSA-2018:2022",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2022"
},
{
"name": "RHSA-2019:0054",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0054"
},
{
"name": "RHSA-2018:2079",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2079"
},
{
"name": "RHSA-2018:2585",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2585"
},
{
"name": "DSA-4396",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2019/dsa-4396"
},
{
"name": "USN-4072-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4072-1/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2018-10855",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ansible",
"version": {
"version_data": [
{
"version_value": "Ansible 2.4.5"
},
{
"version_value": "Ansible 2.5.5"
}
]
}
}
]
},
"vendor_name": "[UNKNOWN]"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "5.9/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-532"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2018:1949",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:1949"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855"
},
{
"name": "RHBA-2018:3788",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHBA-2018:3788"
},
{
"name": "RHSA-2018:1948",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:1948"
},
{
"name": "RHSA-2018:2184",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2184"
},
{
"name": "RHSA-2018:2022",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2022"
},
{
"name": "RHSA-2019:0054",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:0054"
},
{
"name": "RHSA-2018:2079",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2079"
},
{
"name": "RHSA-2018:2585",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2585"
},
{
"name": "DSA-4396",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2019/dsa-4396"
},
{
"name": "USN-4072-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4072-1/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2018-10855",
"datePublished": "2018-07-02T18:00:00",
"dateReserved": "2018-05-09T00:00:00",
"dateUpdated": "2024-08-05T07:46:47.397Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2018-10855\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2018-07-03T01:29:00.580\",\"lastModified\":\"2021-08-04T17:14:46.777\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.\"},{\"lang\":\"es\",\"value\":\"Ansible, en versiones 2.5 anteriores a la 2.5.5 y 2.4 anteriores a la 2.4.5, no cumplen con la marca de tarea no_log para las tareas fallidas. Cuando se ha empleado la marca no_log para proteger datos sensibles que se pasan a una tarea desde que se registra y esa tarea no se ejecuta con \u00e9xito, Ansible mostrar\u00e1 datos sensibles en archivos de registro y en el terminal del usuario que ejecuta Ansible.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}],\"cvssMetricV30\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:N/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.3},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-532\"}]},{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-532\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.4\",\"versionEndExcluding\":\"2.4.5\",\"matchCriteriaId\":\"9B1CF308-19C7-4007-A72F-44F68C36B22A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*\",\"versionStartExcluding\":\"2.5\",\"versionEndIncluding\":\"2.5.5\",\"matchCriteriaId\":\"725395D6-82FA-47E1-A88D-F25B576E4B91\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:ansible_engine:2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8989CD03-49A1-4831-BF98-9F21592788BE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"67F7263F-113D-4BAE-B8CB-86A61531A2AC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"704CFA1A-953E-4105-BFBE-406034B83DED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6BBD7A51-0590-4DDF-8249-5AFA8D645CB6\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E722FEF7-58A6-47AD-B1D0-DB0B71B0C7AA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openstack:12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4D4AC996-B340-4A14-86F7-FF83B4D5EC8F\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CD783B0C-9246-47D9-A937-6144FE8BFF0F\"}]}]}],\"references\":[{\"url\":\"https://access.redhat.com/errata/RHBA-2018:3788\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:1948\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:1949\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2022\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2079\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2184\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2585\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:0054\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4072-1/\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2019/dsa-4396\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
rhsa-2018_2585
Vulnerability from csaf_redhat
Published
2018-08-29 16:05
Modified
2024-11-14 23:44
Summary
Red Hat Security Advisory: ansible security update
Notes
Topic
An update for ansible is now available for Red Hat
OpenStack Platform 13.0 (Queens).
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically.
The following packages have been upgraded to a newer upstream version: ansible (2.4.5)
Security Fix(es):
* ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs (CVE-2018-10855)
* ansible: Inventory variables are loaded from current working directory when running ad-hoc command that can lead to code execution (CVE-2018-10874)
* ansible: ansible.cfg is being read from current working directory allowing possible code execution (CVE-2018-10875)
For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.
Red Hat would like to thank Tobias Henkel (BMW Car IT GmbH), Brian Coca (Red Hat), and Michael Scherer (OSAS) for reporting this issue.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for ansible is now available for Red Hat\nOpenStack Platform 13.0 (Queens).\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically.\n\nThe following packages have been upgraded to a newer upstream version: ansible (2.4.5)\n\nSecurity Fix(es):\n\n* ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs (CVE-2018-10855)\n\n* ansible: Inventory variables are loaded from current working directory when running ad-hoc command that can lead to code execution (CVE-2018-10874)\n\n* ansible: ansible.cfg is being read from current working directory allowing possible code execution (CVE-2018-10875)\n\nFor more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.\n\nRed Hat would like to thank Tobias Henkel (BMW Car IT GmbH), Brian Coca (Red Hat), and Michael Scherer (OSAS) for reporting this issue.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2018:2585",
"url": "https://access.redhat.com/errata/RHSA-2018:2585"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1588855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588855"
},
{
"category": "external",
"summary": "1596528",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1596528"
},
{
"category": "external",
"summary": "1596533",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1596533"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_2585.json"
}
],
"title": "Red Hat Security Advisory: ansible security update",
"tracking": {
"current_release_date": "2024-11-14T23:44:48+00:00",
"generator": {
"date": "2024-11-14T23:44:48+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2018:2585",
"initial_release_date": "2018-08-29T16:05:26+00:00",
"revision_history": [
{
"date": "2018-08-29T16:05:26+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2018-08-29T16:05:26+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:44:48+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 13.0",
"product": {
"name": "Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-13.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:13::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 13.0",
"product": {
"name": "Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-DEPLOYMENT-TOOLS-13.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:13::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "ansible-0:2.4.6.0-1.el7ae.src",
"product": {
"name": "ansible-0:2.4.6.0-1.el7ae.src",
"product_id": "ansible-0:2.4.6.0-1.el7ae.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible@2.4.6.0-1.el7ae?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "ansible-0:2.4.6.0-1.el7ae.noarch",
"product": {
"name": "ansible-0:2.4.6.0-1.el7ae.noarch",
"product_id": "ansible-0:2.4.6.0-1.el7ae.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible@2.4.6.0-1.el7ae?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-0:2.4.6.0-1.el7ae.noarch as a component of Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-13.0:ansible-0:2.4.6.0-1.el7ae.noarch"
},
"product_reference": "ansible-0:2.4.6.0-1.el7ae.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-13.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-0:2.4.6.0-1.el7ae.src as a component of Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-13.0:ansible-0:2.4.6.0-1.el7ae.src"
},
"product_reference": "ansible-0:2.4.6.0-1.el7ae.src",
"relates_to_product_reference": "7Server-RH7-RHOS-13.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-0:2.4.6.0-1.el7ae.noarch as a component of Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-DEPLOYMENT-TOOLS-13.0:ansible-0:2.4.6.0-1.el7ae.noarch"
},
"product_reference": "ansible-0:2.4.6.0-1.el7ae.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-DEPLOYMENT-TOOLS-13.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-0:2.4.6.0-1.el7ae.src as a component of Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-DEPLOYMENT-TOOLS-13.0:ansible-0:2.4.6.0-1.el7ae.src"
},
"product_reference": "ansible-0:2.4.6.0-1.el7ae.src",
"relates_to_product_reference": "7Server-RH7-RHOS-DEPLOYMENT-TOOLS-13.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Tobias Henkel"
],
"organization": "BMW Car IT GmbH"
}
],
"cve": "CVE-2018-10855",
"cwe": {
"id": "CWE-532",
"name": "Insertion of Sensitive Information into Log File"
},
"discovery_date": "2018-06-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1588855"
}
],
"notes": [
{
"category": "description",
"text": "Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-13.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-13.0:ansible-0:2.4.6.0-1.el7ae.src",
"7Server-RH7-RHOS-DEPLOYMENT-TOOLS-13.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-DEPLOYMENT-TOOLS-13.0:ansible-0:2.4.6.0-1.el7ae.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-10855"
},
{
"category": "external",
"summary": "RHBZ#1588855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588855"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-10855",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10855"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-10855",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10855"
},
{
"category": "external",
"summary": "https://github.com/ansible/ansible/pull/41414",
"url": "https://github.com/ansible/ansible/pull/41414"
}
],
"release_date": "2018-06-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-08-29T16:05:26+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-13.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-13.0:ansible-0:2.4.6.0-1.el7ae.src",
"7Server-RH7-RHOS-DEPLOYMENT-TOOLS-13.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-DEPLOYMENT-TOOLS-13.0:ansible-0:2.4.6.0-1.el7ae.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2585"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-13.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-13.0:ansible-0:2.4.6.0-1.el7ae.src",
"7Server-RH7-RHOS-DEPLOYMENT-TOOLS-13.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-DEPLOYMENT-TOOLS-13.0:ansible-0:2.4.6.0-1.el7ae.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs"
},
{
"acknowledgments": [
{
"names": [
"Michael Scherer"
],
"organization": "OSAS"
}
],
"cve": "CVE-2018-10874",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2018-06-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1596528"
}
],
"notes": [
{
"category": "description",
"text": "In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker\u0027s control, allowing to run arbitrary code as a result.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ansible: Inventory variables are loaded from current working directory when running ad-hoc command that can lead to code execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-13.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-13.0:ansible-0:2.4.6.0-1.el7ae.src",
"7Server-RH7-RHOS-DEPLOYMENT-TOOLS-13.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-DEPLOYMENT-TOOLS-13.0:ansible-0:2.4.6.0-1.el7ae.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-10874"
},
{
"category": "external",
"summary": "RHBZ#1596528",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1596528"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-10874",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10874"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-10874",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10874"
}
],
"release_date": "2018-06-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-08-29T16:05:26+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-13.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-13.0:ansible-0:2.4.6.0-1.el7ae.src",
"7Server-RH7-RHOS-DEPLOYMENT-TOOLS-13.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-DEPLOYMENT-TOOLS-13.0:ansible-0:2.4.6.0-1.el7ae.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2585"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-13.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-13.0:ansible-0:2.4.6.0-1.el7ae.src",
"7Server-RH7-RHOS-DEPLOYMENT-TOOLS-13.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-DEPLOYMENT-TOOLS-13.0:ansible-0:2.4.6.0-1.el7ae.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "ansible: Inventory variables are loaded from current working directory when running ad-hoc command that can lead to code execution"
},
{
"acknowledgments": [
{
"names": [
"Brian Coca"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2018-10875",
"cwe": {
"id": "CWE-426",
"name": "Untrusted Search Path"
},
"discovery_date": "2018-06-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1596533"
}
],
"notes": [
{
"category": "description",
"text": "It was found that ansible.cfg is being read from the current working directory, which can be made to point to plugin or module paths that are under control of the attacker. This could allow an attacker to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ansible: ansible.cfg is being read from current working directory allowing possible code execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-13.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-13.0:ansible-0:2.4.6.0-1.el7ae.src",
"7Server-RH7-RHOS-DEPLOYMENT-TOOLS-13.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-DEPLOYMENT-TOOLS-13.0:ansible-0:2.4.6.0-1.el7ae.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-10875"
},
{
"category": "external",
"summary": "RHBZ#1596533",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1596533"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-10875",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10875"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-10875",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10875"
}
],
"release_date": "2018-06-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-08-29T16:05:26+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-13.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-13.0:ansible-0:2.4.6.0-1.el7ae.src",
"7Server-RH7-RHOS-DEPLOYMENT-TOOLS-13.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-DEPLOYMENT-TOOLS-13.0:ansible-0:2.4.6.0-1.el7ae.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2585"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-13.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-13.0:ansible-0:2.4.6.0-1.el7ae.src",
"7Server-RH7-RHOS-DEPLOYMENT-TOOLS-13.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-DEPLOYMENT-TOOLS-13.0:ansible-0:2.4.6.0-1.el7ae.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "ansible: ansible.cfg is being read from current working directory allowing possible code execution"
}
]
}
rhsa-2018_2184
Vulnerability from csaf_redhat
Published
2018-07-12 13:14
Modified
2024-11-14 23:43
Summary
Red Hat Security Advisory: CloudForms 4.6.3 bug fix and enhancement update
Notes
Topic
An update is now available for CloudForms Management Engine 5.9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.
Security fix(es):
* ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs (CVE-2018-10855)
Red Hat would like to thank Tobias Henkel (BMW Car IT GmbH) for reporting these issues.
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in the
References section.
Additional Changes:
This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for CloudForms Management Engine 5.9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.\n\nSecurity fix(es):\n\n* ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs (CVE-2018-10855)\n\nRed Hat would like to thank Tobias Henkel (BMW Car IT GmbH) for reporting these issues.\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, refer to the CVE page(s) listed in the\nReferences section.\n\nAdditional Changes:\n\nThis update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2018:2184",
"url": "https://access.redhat.com/errata/RHSA-2018:2184"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1536677",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1536677"
},
{
"category": "external",
"summary": "1553227",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553227"
},
{
"category": "external",
"summary": "1553383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553383"
},
{
"category": "external",
"summary": "1553795",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553795"
},
{
"category": "external",
"summary": "1563745",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1563745"
},
{
"category": "external",
"summary": "1565845",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1565845"
},
{
"category": "external",
"summary": "1565925",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1565925"
},
{
"category": "external",
"summary": "1566570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1566570"
},
{
"category": "external",
"summary": "1569170",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1569170"
},
{
"category": "external",
"summary": "1571303",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1571303"
},
{
"category": "external",
"summary": "1572760",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1572760"
},
{
"category": "external",
"summary": "1574154",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1574154"
},
{
"category": "external",
"summary": "1574569",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1574569"
},
{
"category": "external",
"summary": "1575713",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1575713"
},
{
"category": "external",
"summary": "1576099",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1576099"
},
{
"category": "external",
"summary": "1577247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1577247"
},
{
"category": "external",
"summary": "1578121",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1578121"
},
{
"category": "external",
"summary": "1578124",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1578124"
},
{
"category": "external",
"summary": "1578125",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1578125"
},
{
"category": "external",
"summary": "1578126",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1578126"
},
{
"category": "external",
"summary": "1578388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1578388"
},
{
"category": "external",
"summary": "1578393",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1578393"
},
{
"category": "external",
"summary": "1578394",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1578394"
},
{
"category": "external",
"summary": "1578398",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1578398"
},
{
"category": "external",
"summary": "1578400",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1578400"
},
{
"category": "external",
"summary": "1578856",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1578856"
},
{
"category": "external",
"summary": "1578865",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1578865"
},
{
"category": "external",
"summary": "1578954",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1578954"
},
{
"category": "external",
"summary": "1578957",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1578957"
},
{
"category": "external",
"summary": "1578964",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1578964"
},
{
"category": "external",
"summary": "1578972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1578972"
},
{
"category": "external",
"summary": "1578976",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1578976"
},
{
"category": "external",
"summary": "1578986",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1578986"
},
{
"category": "external",
"summary": "1578990",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1578990"
},
{
"category": "external",
"summary": "1578996",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1578996"
},
{
"category": "external",
"summary": "1580520",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1580520"
},
{
"category": "external",
"summary": "1580535",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1580535"
},
{
"category": "external",
"summary": "1581287",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1581287"
},
{
"category": "external",
"summary": "1581307",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1581307"
},
{
"category": "external",
"summary": "1581386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1581386"
},
{
"category": "external",
"summary": "1583704",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1583704"
},
{
"category": "external",
"summary": "1583710",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1583710"
},
{
"category": "external",
"summary": "1583777",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1583777"
},
{
"category": "external",
"summary": "1583779",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1583779"
},
{
"category": "external",
"summary": "1583784",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1583784"
},
{
"category": "external",
"summary": "1583786",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1583786"
},
{
"category": "external",
"summary": "1583788",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1583788"
},
{
"category": "external",
"summary": "1583851",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1583851"
},
{
"category": "external",
"summary": "1584186",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1584186"
},
{
"category": "external",
"summary": "1584296",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1584296"
},
{
"category": "external",
"summary": "1584406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1584406"
},
{
"category": "external",
"summary": "1584687",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1584687"
},
{
"category": "external",
"summary": "1584699",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1584699"
},
{
"category": "external",
"summary": "1585709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1585709"
},
{
"category": "external",
"summary": "1585745",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1585745"
},
{
"category": "external",
"summary": "1585821",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1585821"
},
{
"category": "external",
"summary": "1586213",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1586213"
},
{
"category": "external",
"summary": "1588038",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588038"
},
{
"category": "external",
"summary": "1588042",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588042"
},
{
"category": "external",
"summary": "1588855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588855"
},
{
"category": "external",
"summary": "1589837",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1589837"
},
{
"category": "external",
"summary": "1590346",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1590346"
},
{
"category": "external",
"summary": "1590353",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1590353"
},
{
"category": "external",
"summary": "1590426",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1590426"
},
{
"category": "external",
"summary": "1590430",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1590430"
},
{
"category": "external",
"summary": "1590846",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1590846"
},
{
"category": "external",
"summary": "1591422",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1591422"
},
{
"category": "external",
"summary": "1591423",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1591423"
},
{
"category": "external",
"summary": "1591425",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1591425"
},
{
"category": "external",
"summary": "1591427",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1591427"
},
{
"category": "external",
"summary": "1591429",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1591429"
},
{
"category": "external",
"summary": "1591450",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1591450"
},
{
"category": "external",
"summary": "1591484",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1591484"
},
{
"category": "external",
"summary": "1591939",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1591939"
},
{
"category": "external",
"summary": "1592414",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1592414"
},
{
"category": "external",
"summary": "1592504",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1592504"
},
{
"category": "external",
"summary": "1592852",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1592852"
},
{
"category": "external",
"summary": "1592913",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1592913"
},
{
"category": "external",
"summary": "1592973",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1592973"
},
{
"category": "external",
"summary": "1593677",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593677"
},
{
"category": "external",
"summary": "1593684",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593684"
},
{
"category": "external",
"summary": "1593797",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593797"
},
{
"category": "external",
"summary": "1594027",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1594027"
},
{
"category": "external",
"summary": "1594268",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1594268"
},
{
"category": "external",
"summary": "1594275",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1594275"
},
{
"category": "external",
"summary": "1594324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1594324"
},
{
"category": "external",
"summary": "1594386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1594386"
},
{
"category": "external",
"summary": "1594831",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1594831"
},
{
"category": "external",
"summary": "1594833",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1594833"
},
{
"category": "external",
"summary": "1594839",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1594839"
},
{
"category": "external",
"summary": "1595324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595324"
},
{
"category": "external",
"summary": "1595418",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595418"
},
{
"category": "external",
"summary": "1595734",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595734"
},
{
"category": "external",
"summary": "1596248",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1596248"
},
{
"category": "external",
"summary": "1596249",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1596249"
},
{
"category": "external",
"summary": "1596314",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1596314"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_2184.json"
}
],
"title": "Red Hat Security Advisory: CloudForms 4.6.3 bug fix and enhancement update",
"tracking": {
"current_release_date": "2024-11-14T23:43:55+00:00",
"generator": {
"date": "2024-11-14T23:43:55+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2018:2184",
"initial_release_date": "2018-07-12T13:14:44+00:00",
"revision_history": [
{
"date": "2018-07-12T13:14:44+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2018-07-12T13:14:44+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:43:55+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "CloudForms Management Engine 5.9",
"product": {
"name": "CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:cloudforms_managementengine:5.9::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat CloudForms"
},
{
"branches": [
{
"category": "product_version",
"name": "ansible-tower-venv-tower-0:3.2.5-1.el7at.x86_64",
"product": {
"name": "ansible-tower-venv-tower-0:3.2.5-1.el7at.x86_64",
"product_id": "ansible-tower-venv-tower-0:3.2.5-1.el7at.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible-tower-venv-tower@3.2.5-1.el7at?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "ansible-tower-venv-ansible-0:3.2.5-1.el7at.x86_64",
"product": {
"name": "ansible-tower-venv-ansible-0:3.2.5-1.el7at.x86_64",
"product_id": "ansible-tower-venv-ansible-0:3.2.5-1.el7at.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible-tower-venv-ansible@3.2.5-1.el7at?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "ansible-tower-server-0:3.2.5-1.el7at.x86_64",
"product": {
"name": "ansible-tower-server-0:3.2.5-1.el7at.x86_64",
"product_id": "ansible-tower-server-0:3.2.5-1.el7at.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible-tower-server@3.2.5-1.el7at?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "ansible-tower-ui-0:3.2.5-1.el7at.x86_64",
"product": {
"name": "ansible-tower-ui-0:3.2.5-1.el7at.x86_64",
"product_id": "ansible-tower-ui-0:3.2.5-1.el7at.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible-tower-ui@3.2.5-1.el7at?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "ansible-tower-0:3.2.5-1.el7at.x86_64",
"product": {
"name": "ansible-tower-0:3.2.5-1.el7at.x86_64",
"product_id": "ansible-tower-0:3.2.5-1.el7at.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible-tower@3.2.5-1.el7at?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "ansible-tower-setup-0:3.2.5-1.el7at.x86_64",
"product": {
"name": "ansible-tower-setup-0:3.2.5-1.el7at.x86_64",
"product_id": "ansible-tower-setup-0:3.2.5-1.el7at.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible-tower-setup@3.2.5-1.el7at?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "httpd-configmap-generator-0:0.2.2-1.1.el7cf.x86_64",
"product": {
"name": "httpd-configmap-generator-0:0.2.2-1.1.el7cf.x86_64",
"product_id": "httpd-configmap-generator-0:0.2.2-1.1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/httpd-configmap-generator@0.2.2-1.1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-0:5.9.3.4-1.el7cf.x86_64",
"product": {
"name": "cfme-0:5.9.3.4-1.el7cf.x86_64",
"product_id": "cfme-0:5.9.3.4-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme@5.9.3.4-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-debuginfo-0:5.9.3.4-1.el7cf.x86_64",
"product": {
"name": "cfme-debuginfo-0:5.9.3.4-1.el7cf.x86_64",
"product_id": "cfme-debuginfo-0:5.9.3.4-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-debuginfo@5.9.3.4-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-0:5.9.3.4-1.el7cf.x86_64",
"product": {
"name": "cfme-appliance-0:5.9.3.4-1.el7cf.x86_64",
"product_id": "cfme-appliance-0:5.9.3.4-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance@5.9.3.4-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-tools-0:5.9.3.4-1.el7cf.x86_64",
"product": {
"name": "cfme-appliance-tools-0:5.9.3.4-1.el7cf.x86_64",
"product_id": "cfme-appliance-tools-0:5.9.3.4-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance-tools@5.9.3.4-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-common-0:5.9.3.4-1.el7cf.x86_64",
"product": {
"name": "cfme-appliance-common-0:5.9.3.4-1.el7cf.x86_64",
"product_id": "cfme-appliance-common-0:5.9.3.4-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance-common@5.9.3.4-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-debuginfo-0:5.9.3.4-1.el7cf.x86_64",
"product": {
"name": "cfme-appliance-debuginfo-0:5.9.3.4-1.el7cf.x86_64",
"product_id": "cfme-appliance-debuginfo-0:5.9.3.4-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance-debuginfo@5.9.3.4-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-gemset-0:5.9.3.4-1.el7cf.x86_64",
"product": {
"name": "cfme-gemset-0:5.9.3.4-1.el7cf.x86_64",
"product_id": "cfme-gemset-0:5.9.3.4-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-gemset@5.9.3.4-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-gemset-debuginfo-0:5.9.3.4-1.el7cf.x86_64",
"product": {
"name": "cfme-gemset-debuginfo-0:5.9.3.4-1.el7cf.x86_64",
"product_id": "cfme-gemset-debuginfo-0:5.9.3.4-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-gemset-debuginfo@5.9.3.4-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-amazon-smartstate-0:5.9.3.4-1.el7cf.x86_64",
"product": {
"name": "cfme-amazon-smartstate-0:5.9.3.4-1.el7cf.x86_64",
"product_id": "cfme-amazon-smartstate-0:5.9.3.4-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-amazon-smartstate@5.9.3.4-1.el7cf?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "ansible-tower-0:3.2.5-1.el7at.src",
"product": {
"name": "ansible-tower-0:3.2.5-1.el7at.src",
"product_id": "ansible-tower-0:3.2.5-1.el7at.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible-tower@3.2.5-1.el7at?arch=src"
}
}
},
{
"category": "product_version",
"name": "httpd-configmap-generator-0:0.2.2-1.1.el7cf.src",
"product": {
"name": "httpd-configmap-generator-0:0.2.2-1.1.el7cf.src",
"product_id": "httpd-configmap-generator-0:0.2.2-1.1.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/httpd-configmap-generator@0.2.2-1.1.el7cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "ansible-0:2.4.5.0-1.el7ae.src",
"product": {
"name": "ansible-0:2.4.5.0-1.el7ae.src",
"product_id": "ansible-0:2.4.5.0-1.el7ae.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible@2.4.5.0-1.el7ae?arch=src"
}
}
},
{
"category": "product_version",
"name": "cfme-0:5.9.3.4-1.el7cf.src",
"product": {
"name": "cfme-0:5.9.3.4-1.el7cf.src",
"product_id": "cfme-0:5.9.3.4-1.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme@5.9.3.4-1.el7cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-0:5.9.3.4-1.el7cf.src",
"product": {
"name": "cfme-appliance-0:5.9.3.4-1.el7cf.src",
"product_id": "cfme-appliance-0:5.9.3.4-1.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance@5.9.3.4-1.el7cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "cfme-gemset-0:5.9.3.4-1.el7cf.src",
"product": {
"name": "cfme-gemset-0:5.9.3.4-1.el7cf.src",
"product_id": "cfme-gemset-0:5.9.3.4-1.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-gemset@5.9.3.4-1.el7cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "cfme-amazon-smartstate-0:5.9.3.4-1.el7cf.src",
"product": {
"name": "cfme-amazon-smartstate-0:5.9.3.4-1.el7cf.src",
"product_id": "cfme-amazon-smartstate-0:5.9.3.4-1.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-amazon-smartstate@5.9.3.4-1.el7cf?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "ansible-doc-0:2.4.5.0-1.el7ae.noarch",
"product": {
"name": "ansible-doc-0:2.4.5.0-1.el7ae.noarch",
"product_id": "ansible-doc-0:2.4.5.0-1.el7ae.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible-doc@2.4.5.0-1.el7ae?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ansible-0:2.4.5.0-1.el7ae.noarch",
"product": {
"name": "ansible-0:2.4.5.0-1.el7ae.noarch",
"product_id": "ansible-0:2.4.5.0-1.el7ae.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible@2.4.5.0-1.el7ae?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-0:2.4.5.0-1.el7ae.noarch as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:ansible-0:2.4.5.0-1.el7ae.noarch"
},
"product_reference": "ansible-0:2.4.5.0-1.el7ae.noarch",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-0:2.4.5.0-1.el7ae.src as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:ansible-0:2.4.5.0-1.el7ae.src"
},
"product_reference": "ansible-0:2.4.5.0-1.el7ae.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-doc-0:2.4.5.0-1.el7ae.noarch as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:ansible-doc-0:2.4.5.0-1.el7ae.noarch"
},
"product_reference": "ansible-doc-0:2.4.5.0-1.el7ae.noarch",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-tower-0:3.2.5-1.el7at.src as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:ansible-tower-0:3.2.5-1.el7at.src"
},
"product_reference": "ansible-tower-0:3.2.5-1.el7at.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-tower-0:3.2.5-1.el7at.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:ansible-tower-0:3.2.5-1.el7at.x86_64"
},
"product_reference": "ansible-tower-0:3.2.5-1.el7at.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-tower-server-0:3.2.5-1.el7at.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:ansible-tower-server-0:3.2.5-1.el7at.x86_64"
},
"product_reference": "ansible-tower-server-0:3.2.5-1.el7at.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-tower-setup-0:3.2.5-1.el7at.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:ansible-tower-setup-0:3.2.5-1.el7at.x86_64"
},
"product_reference": "ansible-tower-setup-0:3.2.5-1.el7at.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-tower-ui-0:3.2.5-1.el7at.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:ansible-tower-ui-0:3.2.5-1.el7at.x86_64"
},
"product_reference": "ansible-tower-ui-0:3.2.5-1.el7at.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-tower-venv-ansible-0:3.2.5-1.el7at.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:ansible-tower-venv-ansible-0:3.2.5-1.el7at.x86_64"
},
"product_reference": "ansible-tower-venv-ansible-0:3.2.5-1.el7at.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-tower-venv-tower-0:3.2.5-1.el7at.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:ansible-tower-venv-tower-0:3.2.5-1.el7at.x86_64"
},
"product_reference": "ansible-tower-venv-tower-0:3.2.5-1.el7at.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-0:5.9.3.4-1.el7cf.src as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-0:5.9.3.4-1.el7cf.src"
},
"product_reference": "cfme-0:5.9.3.4-1.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-0:5.9.3.4-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-0:5.9.3.4-1.el7cf.x86_64"
},
"product_reference": "cfme-0:5.9.3.4-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-amazon-smartstate-0:5.9.3.4-1.el7cf.src as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.3.4-1.el7cf.src"
},
"product_reference": "cfme-amazon-smartstate-0:5.9.3.4-1.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-amazon-smartstate-0:5.9.3.4-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.3.4-1.el7cf.x86_64"
},
"product_reference": "cfme-amazon-smartstate-0:5.9.3.4-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-0:5.9.3.4-1.el7cf.src as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.3.4-1.el7cf.src"
},
"product_reference": "cfme-appliance-0:5.9.3.4-1.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-0:5.9.3.4-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.3.4-1.el7cf.x86_64"
},
"product_reference": "cfme-appliance-0:5.9.3.4-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-common-0:5.9.3.4-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-appliance-common-0:5.9.3.4-1.el7cf.x86_64"
},
"product_reference": "cfme-appliance-common-0:5.9.3.4-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-debuginfo-0:5.9.3.4-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-appliance-debuginfo-0:5.9.3.4-1.el7cf.x86_64"
},
"product_reference": "cfme-appliance-debuginfo-0:5.9.3.4-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-tools-0:5.9.3.4-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-appliance-tools-0:5.9.3.4-1.el7cf.x86_64"
},
"product_reference": "cfme-appliance-tools-0:5.9.3.4-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-debuginfo-0:5.9.3.4-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-debuginfo-0:5.9.3.4-1.el7cf.x86_64"
},
"product_reference": "cfme-debuginfo-0:5.9.3.4-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-gemset-0:5.9.3.4-1.el7cf.src as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.3.4-1.el7cf.src"
},
"product_reference": "cfme-gemset-0:5.9.3.4-1.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-gemset-0:5.9.3.4-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.3.4-1.el7cf.x86_64"
},
"product_reference": "cfme-gemset-0:5.9.3.4-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-gemset-debuginfo-0:5.9.3.4-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-gemset-debuginfo-0:5.9.3.4-1.el7cf.x86_64"
},
"product_reference": "cfme-gemset-debuginfo-0:5.9.3.4-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "httpd-configmap-generator-0:0.2.2-1.1.el7cf.src as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:httpd-configmap-generator-0:0.2.2-1.1.el7cf.src"
},
"product_reference": "httpd-configmap-generator-0:0.2.2-1.1.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "httpd-configmap-generator-0:0.2.2-1.1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:httpd-configmap-generator-0:0.2.2-1.1.el7cf.x86_64"
},
"product_reference": "httpd-configmap-generator-0:0.2.2-1.1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Tobias Henkel"
],
"organization": "BMW Car IT GmbH"
}
],
"cve": "CVE-2018-10855",
"cwe": {
"id": "CWE-532",
"name": "Insertion of Sensitive Information into Log File"
},
"discovery_date": "2018-06-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1588855"
}
],
"notes": [
{
"category": "description",
"text": "Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-CFME-5.9:ansible-0:2.4.5.0-1.el7ae.noarch",
"7Server-RH7-CFME-5.9:ansible-0:2.4.5.0-1.el7ae.src",
"7Server-RH7-CFME-5.9:ansible-doc-0:2.4.5.0-1.el7ae.noarch",
"7Server-RH7-CFME-5.9:ansible-tower-0:3.2.5-1.el7at.src",
"7Server-RH7-CFME-5.9:ansible-tower-0:3.2.5-1.el7at.x86_64",
"7Server-RH7-CFME-5.9:ansible-tower-server-0:3.2.5-1.el7at.x86_64",
"7Server-RH7-CFME-5.9:ansible-tower-setup-0:3.2.5-1.el7at.x86_64",
"7Server-RH7-CFME-5.9:ansible-tower-ui-0:3.2.5-1.el7at.x86_64",
"7Server-RH7-CFME-5.9:ansible-tower-venv-ansible-0:3.2.5-1.el7at.x86_64",
"7Server-RH7-CFME-5.9:ansible-tower-venv-tower-0:3.2.5-1.el7at.x86_64",
"7Server-RH7-CFME-5.9:cfme-0:5.9.3.4-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.3.4-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.3.4-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-common-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-debuginfo-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-tools-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-debuginfo-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.3.4-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-debuginfo-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:httpd-configmap-generator-0:0.2.2-1.1.el7cf.src",
"7Server-RH7-CFME-5.9:httpd-configmap-generator-0:0.2.2-1.1.el7cf.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-10855"
},
{
"category": "external",
"summary": "RHBZ#1588855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588855"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-10855",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10855"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-10855",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10855"
},
{
"category": "external",
"summary": "https://github.com/ansible/ansible/pull/41414",
"url": "https://github.com/ansible/ansible/pull/41414"
}
],
"release_date": "2018-06-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-07-12T13:14:44+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-CFME-5.9:ansible-0:2.4.5.0-1.el7ae.noarch",
"7Server-RH7-CFME-5.9:ansible-0:2.4.5.0-1.el7ae.src",
"7Server-RH7-CFME-5.9:ansible-doc-0:2.4.5.0-1.el7ae.noarch",
"7Server-RH7-CFME-5.9:ansible-tower-0:3.2.5-1.el7at.src",
"7Server-RH7-CFME-5.9:ansible-tower-0:3.2.5-1.el7at.x86_64",
"7Server-RH7-CFME-5.9:ansible-tower-server-0:3.2.5-1.el7at.x86_64",
"7Server-RH7-CFME-5.9:ansible-tower-setup-0:3.2.5-1.el7at.x86_64",
"7Server-RH7-CFME-5.9:ansible-tower-ui-0:3.2.5-1.el7at.x86_64",
"7Server-RH7-CFME-5.9:ansible-tower-venv-ansible-0:3.2.5-1.el7at.x86_64",
"7Server-RH7-CFME-5.9:ansible-tower-venv-tower-0:3.2.5-1.el7at.x86_64",
"7Server-RH7-CFME-5.9:cfme-0:5.9.3.4-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.3.4-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.3.4-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-common-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-debuginfo-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-tools-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-debuginfo-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.3.4-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-debuginfo-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:httpd-configmap-generator-0:0.2.2-1.1.el7cf.src",
"7Server-RH7-CFME-5.9:httpd-configmap-generator-0:0.2.2-1.1.el7cf.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2184"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-CFME-5.9:ansible-0:2.4.5.0-1.el7ae.noarch",
"7Server-RH7-CFME-5.9:ansible-0:2.4.5.0-1.el7ae.src",
"7Server-RH7-CFME-5.9:ansible-doc-0:2.4.5.0-1.el7ae.noarch",
"7Server-RH7-CFME-5.9:ansible-tower-0:3.2.5-1.el7at.src",
"7Server-RH7-CFME-5.9:ansible-tower-0:3.2.5-1.el7at.x86_64",
"7Server-RH7-CFME-5.9:ansible-tower-server-0:3.2.5-1.el7at.x86_64",
"7Server-RH7-CFME-5.9:ansible-tower-setup-0:3.2.5-1.el7at.x86_64",
"7Server-RH7-CFME-5.9:ansible-tower-ui-0:3.2.5-1.el7at.x86_64",
"7Server-RH7-CFME-5.9:ansible-tower-venv-ansible-0:3.2.5-1.el7at.x86_64",
"7Server-RH7-CFME-5.9:ansible-tower-venv-tower-0:3.2.5-1.el7at.x86_64",
"7Server-RH7-CFME-5.9:cfme-0:5.9.3.4-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.3.4-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.3.4-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-common-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-debuginfo-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-tools-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-debuginfo-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.3.4-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-debuginfo-0:5.9.3.4-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:httpd-configmap-generator-0:0.2.2-1.1.el7cf.src",
"7Server-RH7-CFME-5.9:httpd-configmap-generator-0:0.2.2-1.1.el7cf.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs"
}
]
}
rhsa-2019_0054
Vulnerability from csaf_redhat
Published
2019-01-16 17:11
Modified
2024-11-14 23:47
Summary
Red Hat Security Advisory: ansible security update
Notes
Topic
An update for ansible is now available for Red Hat OpenStack Platform 10.0 (Newton).
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically.
Security Fix(es):
* ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs (CVE-2018-10855)
* ansible: Inventory variables are loaded from current working directory when running ad-hoc command that can lead to code execution (CVE-2018-10874)
* ansible: ansible.cfg is being read from current working directory allowing possible code execution (CVE-2018-10875)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank Tobias Henkel (BMW Car IT GmbH) for reporting CVE-2018-10855 and Michael Scherer (OSAS) for reporting CVE-2018-10874. The CVE-2018-10875 issue was discovered by Brian Coca (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for ansible is now available for Red Hat OpenStack Platform 10.0 (Newton).\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically.\n\nSecurity Fix(es):\n\n* ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs (CVE-2018-10855)\n\n* ansible: Inventory variables are loaded from current working directory when running ad-hoc command that can lead to code execution (CVE-2018-10874)\n\n* ansible: ansible.cfg is being read from current working directory allowing possible code execution (CVE-2018-10875)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Tobias Henkel (BMW Car IT GmbH) for reporting CVE-2018-10855 and Michael Scherer (OSAS) for reporting CVE-2018-10874. The CVE-2018-10875 issue was discovered by Brian Coca (Red Hat).",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:0054",
"url": "https://access.redhat.com/errata/RHSA-2019:0054"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1588855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588855"
},
{
"category": "external",
"summary": "1596528",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1596528"
},
{
"category": "external",
"summary": "1596533",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1596533"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_0054.json"
}
],
"title": "Red Hat Security Advisory: ansible security update",
"tracking": {
"current_release_date": "2024-11-14T23:47:16+00:00",
"generator": {
"date": "2024-11-14T23:47:16+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:0054",
"initial_release_date": "2019-01-16T17:11:06+00:00",
"revision_history": [
{
"date": "2019-01-16T17:11:06+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-01-16T17:11:06+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:47:16+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 10.0",
"product": {
"name": "Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:10::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "ansible-0:2.4.6.0-1.el7ae.src",
"product": {
"name": "ansible-0:2.4.6.0-1.el7ae.src",
"product_id": "ansible-0:2.4.6.0-1.el7ae.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible@2.4.6.0-1.el7ae?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "ansible-0:2.4.6.0-1.el7ae.noarch",
"product": {
"name": "ansible-0:2.4.6.0-1.el7ae.noarch",
"product_id": "ansible-0:2.4.6.0-1.el7ae.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible@2.4.6.0-1.el7ae?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-0:2.4.6.0-1.el7ae.noarch as a component of Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0:ansible-0:2.4.6.0-1.el7ae.noarch"
},
"product_reference": "ansible-0:2.4.6.0-1.el7ae.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-10.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-0:2.4.6.0-1.el7ae.src as a component of Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0:ansible-0:2.4.6.0-1.el7ae.src"
},
"product_reference": "ansible-0:2.4.6.0-1.el7ae.src",
"relates_to_product_reference": "7Server-RH7-RHOS-10.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Tobias Henkel"
],
"organization": "BMW Car IT GmbH"
}
],
"cve": "CVE-2018-10855",
"cwe": {
"id": "CWE-532",
"name": "Insertion of Sensitive Information into Log File"
},
"discovery_date": "2018-06-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1588855"
}
],
"notes": [
{
"category": "description",
"text": "Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-10.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-10.0:ansible-0:2.4.6.0-1.el7ae.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-10855"
},
{
"category": "external",
"summary": "RHBZ#1588855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588855"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-10855",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10855"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-10855",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10855"
},
{
"category": "external",
"summary": "https://github.com/ansible/ansible/pull/41414",
"url": "https://github.com/ansible/ansible/pull/41414"
}
],
"release_date": "2018-06-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-01-16T17:11:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-10.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-10.0:ansible-0:2.4.6.0-1.el7ae.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0054"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-10.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-10.0:ansible-0:2.4.6.0-1.el7ae.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs"
},
{
"acknowledgments": [
{
"names": [
"Michael Scherer"
],
"organization": "OSAS"
}
],
"cve": "CVE-2018-10874",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2018-06-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1596528"
}
],
"notes": [
{
"category": "description",
"text": "In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker\u0027s control, allowing to run arbitrary code as a result.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ansible: Inventory variables are loaded from current working directory when running ad-hoc command that can lead to code execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-10.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-10.0:ansible-0:2.4.6.0-1.el7ae.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-10874"
},
{
"category": "external",
"summary": "RHBZ#1596528",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1596528"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-10874",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10874"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-10874",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10874"
}
],
"release_date": "2018-06-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-01-16T17:11:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-10.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-10.0:ansible-0:2.4.6.0-1.el7ae.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0054"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-10.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-10.0:ansible-0:2.4.6.0-1.el7ae.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "ansible: Inventory variables are loaded from current working directory when running ad-hoc command that can lead to code execution"
},
{
"acknowledgments": [
{
"names": [
"Brian Coca"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2018-10875",
"cwe": {
"id": "CWE-426",
"name": "Untrusted Search Path"
},
"discovery_date": "2018-06-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1596533"
}
],
"notes": [
{
"category": "description",
"text": "It was found that ansible.cfg is being read from the current working directory, which can be made to point to plugin or module paths that are under control of the attacker. This could allow an attacker to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ansible: ansible.cfg is being read from current working directory allowing possible code execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-10.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-10.0:ansible-0:2.4.6.0-1.el7ae.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-10875"
},
{
"category": "external",
"summary": "RHBZ#1596533",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1596533"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-10875",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10875"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-10875",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10875"
}
],
"release_date": "2018-06-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-01-16T17:11:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-10.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-10.0:ansible-0:2.4.6.0-1.el7ae.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0054"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-10.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-10.0:ansible-0:2.4.6.0-1.el7ae.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "ansible: ansible.cfg is being read from current working directory allowing possible code execution"
}
]
}
rhsa-2018_1948
Vulnerability from csaf_redhat
Published
2018-06-19 19:27
Modified
2024-11-14 23:43
Summary
Red Hat Security Advisory: ansible security and bug fix update
Notes
Topic
An update for ansible is now available for Red Hat Ansible Engine 2 for RHEL 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically.
The following packages have been upgraded to a newer upstream version: ansible (2.5.5)
Security fix(es):
* ansible: Ansible through version 2.5 does not properly honour the no_log option with failed task iterations. When a list of secret items is supplied to a task and a task iteration fails, secrets can be disclosed in logs despite the no_log option being enabled. (CVE-2018-10855)
Red Hat would like to thank Tobias Henkel (BMW Car IT GmbH) for
reporting these issues.
Bug Fix(es):
* Changed the admin_users config option to not include "admin" by default
as admin is frequently used for a non-privileged account
(https://github.com/ansible/ansible/pull/41164)
* aws_s3 - add async support to the action plugin
(https://github.com/ansible/ansible/pull/40826)
* aws_s3 - fix decrypting vault files
(https://github.com/ansible/ansible/pull/39634)
* ec2_ami - cast the device_mapping volume size to an int
(https://github.com/ansible/ansible/pull/40938)
* eos_logging - fix idempotency issues
(https://github.com/ansible/ansible/pull/40604)
* cache plugins - a cache timeout of 0 means the cache will not expire.
* ios_logging - fix idempotency issues
(https://github.com/ansible/ansible/pull/41029)
* ios/nxos/eos_config - don't retrieve config in running_config when config
is provided for diff (https://github.com/ansible/ansible/pull/41400)
* nxos_banner - fix multiline banner issue
(https://github.com/ansible/ansible/pull/41026).
* nxos terminal plugin - fix output truncation
(https://github.com/ansible/ansible/pull/40960)
* nxos_l3_interface - fix no switchport issue with loopback and svi
interfaces (https://github.com/ansible/ansible/pull/37392).
* nxos_snapshot - fix compare_option
(https://github.com/ansible/ansible/pull/41386)
See
https://github.com/ansible/ansible/blob/v2.5.5/changelogs/CHANGELOG-v2.5.rst
for details on this release.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for ansible is now available for Red Hat Ansible Engine 2 for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically.\n\nThe following packages have been upgraded to a newer upstream version: ansible (2.5.5)\n\nSecurity fix(es):\n\n* ansible: Ansible through version 2.5 does not properly honour the no_log option with failed task iterations. When a list of secret items is supplied to a task and a task iteration fails, secrets can be disclosed in logs despite the no_log option being enabled. (CVE-2018-10855)\n\nRed Hat would like to thank Tobias Henkel (BMW Car IT GmbH) for\nreporting these issues.\n\nBug Fix(es):\n\n* Changed the admin_users config option to not include \"admin\" by default\nas admin is frequently used for a non-privileged account\n(https://github.com/ansible/ansible/pull/41164)\n\n* aws_s3 - add async support to the action plugin\n(https://github.com/ansible/ansible/pull/40826)\n\n* aws_s3 - fix decrypting vault files\n(https://github.com/ansible/ansible/pull/39634)\n\n* ec2_ami - cast the device_mapping volume size to an int\n(https://github.com/ansible/ansible/pull/40938)\n\n* eos_logging - fix idempotency issues\n(https://github.com/ansible/ansible/pull/40604)\n\n* cache plugins - a cache timeout of 0 means the cache will not expire.\n\n* ios_logging - fix idempotency issues\n(https://github.com/ansible/ansible/pull/41029)\n\n* ios/nxos/eos_config - don\u0027t retrieve config in running_config when config\nis provided for diff (https://github.com/ansible/ansible/pull/41400)\n\n* nxos_banner - fix multiline banner issue\n(https://github.com/ansible/ansible/pull/41026).\n\n* nxos terminal plugin - fix output truncation\n(https://github.com/ansible/ansible/pull/40960)\n\n* nxos_l3_interface - fix no switchport issue with loopback and svi\ninterfaces (https://github.com/ansible/ansible/pull/37392).\n\n* nxos_snapshot - fix compare_option\n(https://github.com/ansible/ansible/pull/41386)\n\nSee\nhttps://github.com/ansible/ansible/blob/v2.5.5/changelogs/CHANGELOG-v2.5.rst\nfor details on this release.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2018:1948",
"url": "https://access.redhat.com/errata/RHSA-2018:1948"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1588855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588855"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_1948.json"
}
],
"title": "Red Hat Security Advisory: ansible security and bug fix update",
"tracking": {
"current_release_date": "2024-11-14T23:43:49+00:00",
"generator": {
"date": "2024-11-14T23:43:49+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2018:1948",
"initial_release_date": "2018-06-19T19:27:11+00:00",
"revision_history": [
{
"date": "2018-06-19T19:27:11+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2018-06-19T19:27:11+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:43:49+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Ansible Engine 2 for RHEL 7",
"product": {
"name": "Red Hat Ansible Engine 2 for RHEL 7",
"product_id": "7Server-Ansible-2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ansible_engine:2::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Ansible Engine"
},
{
"branches": [
{
"category": "product_version",
"name": "ansible-doc-0:2.5.5-1.el7ae.noarch",
"product": {
"name": "ansible-doc-0:2.5.5-1.el7ae.noarch",
"product_id": "ansible-doc-0:2.5.5-1.el7ae.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible-doc@2.5.5-1.el7ae?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ansible-0:2.5.5-1.el7ae.noarch",
"product": {
"name": "ansible-0:2.5.5-1.el7ae.noarch",
"product_id": "ansible-0:2.5.5-1.el7ae.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible@2.5.5-1.el7ae?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "ansible-0:2.5.5-1.el7ae.src",
"product": {
"name": "ansible-0:2.5.5-1.el7ae.src",
"product_id": "ansible-0:2.5.5-1.el7ae.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible@2.5.5-1.el7ae?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-0:2.5.5-1.el7ae.noarch as a component of Red Hat Ansible Engine 2 for RHEL 7",
"product_id": "7Server-Ansible-2:ansible-0:2.5.5-1.el7ae.noarch"
},
"product_reference": "ansible-0:2.5.5-1.el7ae.noarch",
"relates_to_product_reference": "7Server-Ansible-2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-0:2.5.5-1.el7ae.src as a component of Red Hat Ansible Engine 2 for RHEL 7",
"product_id": "7Server-Ansible-2:ansible-0:2.5.5-1.el7ae.src"
},
"product_reference": "ansible-0:2.5.5-1.el7ae.src",
"relates_to_product_reference": "7Server-Ansible-2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-doc-0:2.5.5-1.el7ae.noarch as a component of Red Hat Ansible Engine 2 for RHEL 7",
"product_id": "7Server-Ansible-2:ansible-doc-0:2.5.5-1.el7ae.noarch"
},
"product_reference": "ansible-doc-0:2.5.5-1.el7ae.noarch",
"relates_to_product_reference": "7Server-Ansible-2"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Tobias Henkel"
],
"organization": "BMW Car IT GmbH"
}
],
"cve": "CVE-2018-10855",
"cwe": {
"id": "CWE-532",
"name": "Insertion of Sensitive Information into Log File"
},
"discovery_date": "2018-06-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1588855"
}
],
"notes": [
{
"category": "description",
"text": "Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-Ansible-2:ansible-0:2.5.5-1.el7ae.noarch",
"7Server-Ansible-2:ansible-0:2.5.5-1.el7ae.src",
"7Server-Ansible-2:ansible-doc-0:2.5.5-1.el7ae.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-10855"
},
{
"category": "external",
"summary": "RHBZ#1588855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588855"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-10855",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10855"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-10855",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10855"
},
{
"category": "external",
"summary": "https://github.com/ansible/ansible/pull/41414",
"url": "https://github.com/ansible/ansible/pull/41414"
}
],
"release_date": "2018-06-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-06-19T19:27:11+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-Ansible-2:ansible-0:2.5.5-1.el7ae.noarch",
"7Server-Ansible-2:ansible-0:2.5.5-1.el7ae.src",
"7Server-Ansible-2:ansible-doc-0:2.5.5-1.el7ae.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:1948"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-Ansible-2:ansible-0:2.5.5-1.el7ae.noarch",
"7Server-Ansible-2:ansible-0:2.5.5-1.el7ae.src",
"7Server-Ansible-2:ansible-doc-0:2.5.5-1.el7ae.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs"
}
]
}
rhsa-2018_1949
Vulnerability from csaf_redhat
Published
2018-06-19 19:27
Modified
2024-11-14 23:43
Summary
Red Hat Security Advisory: ansible security and bug fix update
Notes
Topic
An update for ansible is now available for Red Hat Ansible Engine 2.5 for RHEL 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically.
The following packages have been upgraded to a newer upstream version: ansible (2.5.5)
Security fix(es):
* ansible: Ansible through version 2.5 does not properly honour the no_log option with failed task iterations. When a list of secret items is supplied to a task and a task iteration fails, secrets can be disclosed in logs despite the no_log option being enabled. (CVE-2018-10855)
Red Hat would like to thank Tobias Henkel (BMW Car IT GmbH) for
reporting these issues.
Bug Fix(es):
* Changed the admin_users config option to not include "admin" by default
as admin is frequently used for a non-privileged account
(https://github.com/ansible/ansible/pull/41164)
* aws_s3 - add async support to the action plugin
(https://github.com/ansible/ansible/pull/40826)
* aws_s3 - fix decrypting vault files
(https://github.com/ansible/ansible/pull/39634)
* ec2_ami - cast the device_mapping volume size to an int
(https://github.com/ansible/ansible/pull/40938)
* eos_logging - fix idempotency issues
(https://github.com/ansible/ansible/pull/40604)
* cache plugins - a cache timeout of 0 means the cache will not expire.
* ios_logging - fix idempotency issues
(https://github.com/ansible/ansible/pull/41029)
* ios/nxos/eos_config - don't retrieve config in running_config when config
is provided for diff (https://github.com/ansible/ansible/pull/41400)
* nxos_banner - fix multiline banner issue
(https://github.com/ansible/ansible/pull/41026).
* nxos terminal plugin - fix output truncation
(https://github.com/ansible/ansible/pull/40960)
* nxos_l3_interface - fix no switchport issue with loopback and svi
interfaces (https://github.com/ansible/ansible/pull/37392).
* nxos_snapshot - fix compare_option
(https://github.com/ansible/ansible/pull/41386)
See
https://github.com/ansible/ansible/blob/v2.5.5/changelogs/CHANGELOG-v2.5.rst
for details on this release.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for ansible is now available for Red Hat Ansible Engine 2.5 for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically.\n\nThe following packages have been upgraded to a newer upstream version: ansible (2.5.5)\n\nSecurity fix(es):\n\n* ansible: Ansible through version 2.5 does not properly honour the no_log option with failed task iterations. When a list of secret items is supplied to a task and a task iteration fails, secrets can be disclosed in logs despite the no_log option being enabled. (CVE-2018-10855)\n\nRed Hat would like to thank Tobias Henkel (BMW Car IT GmbH) for\nreporting these issues.\n\nBug Fix(es):\n\n* Changed the admin_users config option to not include \"admin\" by default\nas admin is frequently used for a non-privileged account\n(https://github.com/ansible/ansible/pull/41164)\n\n* aws_s3 - add async support to the action plugin\n(https://github.com/ansible/ansible/pull/40826)\n\n* aws_s3 - fix decrypting vault files\n(https://github.com/ansible/ansible/pull/39634)\n\n* ec2_ami - cast the device_mapping volume size to an int\n(https://github.com/ansible/ansible/pull/40938)\n\n* eos_logging - fix idempotency issues\n(https://github.com/ansible/ansible/pull/40604)\n\n* cache plugins - a cache timeout of 0 means the cache will not expire.\n\n* ios_logging - fix idempotency issues\n(https://github.com/ansible/ansible/pull/41029)\n\n* ios/nxos/eos_config - don\u0027t retrieve config in running_config when config\nis provided for diff (https://github.com/ansible/ansible/pull/41400)\n\n* nxos_banner - fix multiline banner issue\n(https://github.com/ansible/ansible/pull/41026).\n\n* nxos terminal plugin - fix output truncation\n(https://github.com/ansible/ansible/pull/40960)\n\n* nxos_l3_interface - fix no switchport issue with loopback and svi\ninterfaces (https://github.com/ansible/ansible/pull/37392).\n\n* nxos_snapshot - fix compare_option\n(https://github.com/ansible/ansible/pull/41386)\n\nSee\nhttps://github.com/ansible/ansible/blob/v2.5.5/changelogs/CHANGELOG-v2.5.rst\nfor details on this release.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2018:1949",
"url": "https://access.redhat.com/errata/RHSA-2018:1949"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1588855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588855"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_1949.json"
}
],
"title": "Red Hat Security Advisory: ansible security and bug fix update",
"tracking": {
"current_release_date": "2024-11-14T23:43:44+00:00",
"generator": {
"date": "2024-11-14T23:43:44+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2018:1949",
"initial_release_date": "2018-06-19T19:27:30+00:00",
"revision_history": [
{
"date": "2018-06-19T19:27:30+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2018-06-19T19:27:30+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:43:44+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Ansible Engine 2.5 for RHEL 7 Server",
"product": {
"name": "Red Hat Ansible Engine 2.5 for RHEL 7 Server",
"product_id": "7Server-Ansible-2.5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ansible_engine:2.5::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Ansible Engine"
},
{
"branches": [
{
"category": "product_version",
"name": "ansible-doc-0:2.5.5-1.el7ae.noarch",
"product": {
"name": "ansible-doc-0:2.5.5-1.el7ae.noarch",
"product_id": "ansible-doc-0:2.5.5-1.el7ae.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible-doc@2.5.5-1.el7ae?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ansible-0:2.5.5-1.el7ae.noarch",
"product": {
"name": "ansible-0:2.5.5-1.el7ae.noarch",
"product_id": "ansible-0:2.5.5-1.el7ae.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible@2.5.5-1.el7ae?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "ansible-0:2.5.5-1.el7ae.src",
"product": {
"name": "ansible-0:2.5.5-1.el7ae.src",
"product_id": "ansible-0:2.5.5-1.el7ae.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible@2.5.5-1.el7ae?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-0:2.5.5-1.el7ae.noarch as a component of Red Hat Ansible Engine 2.5 for RHEL 7 Server",
"product_id": "7Server-Ansible-2.5:ansible-0:2.5.5-1.el7ae.noarch"
},
"product_reference": "ansible-0:2.5.5-1.el7ae.noarch",
"relates_to_product_reference": "7Server-Ansible-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-0:2.5.5-1.el7ae.src as a component of Red Hat Ansible Engine 2.5 for RHEL 7 Server",
"product_id": "7Server-Ansible-2.5:ansible-0:2.5.5-1.el7ae.src"
},
"product_reference": "ansible-0:2.5.5-1.el7ae.src",
"relates_to_product_reference": "7Server-Ansible-2.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-doc-0:2.5.5-1.el7ae.noarch as a component of Red Hat Ansible Engine 2.5 for RHEL 7 Server",
"product_id": "7Server-Ansible-2.5:ansible-doc-0:2.5.5-1.el7ae.noarch"
},
"product_reference": "ansible-doc-0:2.5.5-1.el7ae.noarch",
"relates_to_product_reference": "7Server-Ansible-2.5"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Tobias Henkel"
],
"organization": "BMW Car IT GmbH"
}
],
"cve": "CVE-2018-10855",
"cwe": {
"id": "CWE-532",
"name": "Insertion of Sensitive Information into Log File"
},
"discovery_date": "2018-06-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1588855"
}
],
"notes": [
{
"category": "description",
"text": "Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-Ansible-2.5:ansible-0:2.5.5-1.el7ae.noarch",
"7Server-Ansible-2.5:ansible-0:2.5.5-1.el7ae.src",
"7Server-Ansible-2.5:ansible-doc-0:2.5.5-1.el7ae.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-10855"
},
{
"category": "external",
"summary": "RHBZ#1588855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588855"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-10855",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10855"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-10855",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10855"
},
{
"category": "external",
"summary": "https://github.com/ansible/ansible/pull/41414",
"url": "https://github.com/ansible/ansible/pull/41414"
}
],
"release_date": "2018-06-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-06-19T19:27:30+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-Ansible-2.5:ansible-0:2.5.5-1.el7ae.noarch",
"7Server-Ansible-2.5:ansible-0:2.5.5-1.el7ae.src",
"7Server-Ansible-2.5:ansible-doc-0:2.5.5-1.el7ae.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:1949"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-Ansible-2.5:ansible-0:2.5.5-1.el7ae.noarch",
"7Server-Ansible-2.5:ansible-0:2.5.5-1.el7ae.src",
"7Server-Ansible-2.5:ansible-doc-0:2.5.5-1.el7ae.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs"
}
]
}
rhba-2018_3788
Vulnerability from csaf_redhat
Published
2018-12-05 19:01
Modified
2024-11-14 23:32
Summary
Red Hat Bug Fix Advisory: Red Hat OpenStack Platform 12 Bug Fix and Enhancement Advisory
Notes
Topic
Updated packages that resolve various issues are now available for Red Hat
OpenStack Platform 12.0 (Pike) for RHEL 7.
Details
Red Hat OpenStack Platform provides the facilities for building, deploying
and monitoring a private or public infrastructure-as-a-service (IaaS) cloud
running on commonly available physical hardware.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated packages that resolve various issues are now available for Red Hat\nOpenStack Platform 12.0 (Pike) for RHEL 7.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenStack Platform provides the facilities for building, deploying\nand monitoring a private or public infrastructure-as-a-service (IaaS) cloud\nrunning on commonly available physical hardware.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHBA-2018:3788",
"url": "https://access.redhat.com/errata/RHBA-2018:3788"
},
{
"category": "external",
"summary": "1568591",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1568591"
},
{
"category": "external",
"summary": "1644801",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1644801"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhba-2018_3788.json"
}
],
"title": "Red Hat Bug Fix Advisory: Red Hat OpenStack Platform 12 Bug Fix and Enhancement Advisory",
"tracking": {
"current_release_date": "2024-11-14T23:32:57+00:00",
"generator": {
"date": "2024-11-14T23:32:57+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHBA-2018:3788",
"initial_release_date": "2018-12-05T19:01:13+00:00",
"revision_history": [
{
"date": "2018-12-05T19:01:13+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2018-12-05T19:01:13+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:32:57+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 12.0",
"product": {
"name": "Red Hat OpenStack Platform 12.0",
"product_id": "7Server-RH7-RHOS-12.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:12::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "ansible-0:2.4.6.0-1.el7ae.src",
"product": {
"name": "ansible-0:2.4.6.0-1.el7ae.src",
"product_id": "ansible-0:2.4.6.0-1.el7ae.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible@2.4.6.0-1.el7ae?arch=src"
}
}
},
{
"category": "product_version",
"name": "ansible-role-redhat-subscription-0:1.0.1-4.el7ost.src",
"product": {
"name": "ansible-role-redhat-subscription-0:1.0.1-4.el7ost.src",
"product_id": "ansible-role-redhat-subscription-0:1.0.1-4.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible-role-redhat-subscription@1.0.1-4.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "ansible-0:2.4.6.0-1.el7ae.noarch",
"product": {
"name": "ansible-0:2.4.6.0-1.el7ae.noarch",
"product_id": "ansible-0:2.4.6.0-1.el7ae.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible@2.4.6.0-1.el7ae?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ansible-role-redhat-subscription-0:1.0.1-4.el7ost.noarch",
"product": {
"name": "ansible-role-redhat-subscription-0:1.0.1-4.el7ost.noarch",
"product_id": "ansible-role-redhat-subscription-0:1.0.1-4.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible-role-redhat-subscription@1.0.1-4.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-0:2.4.6.0-1.el7ae.noarch as a component of Red Hat OpenStack Platform 12.0",
"product_id": "7Server-RH7-RHOS-12.0:ansible-0:2.4.6.0-1.el7ae.noarch"
},
"product_reference": "ansible-0:2.4.6.0-1.el7ae.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-12.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-0:2.4.6.0-1.el7ae.src as a component of Red Hat OpenStack Platform 12.0",
"product_id": "7Server-RH7-RHOS-12.0:ansible-0:2.4.6.0-1.el7ae.src"
},
"product_reference": "ansible-0:2.4.6.0-1.el7ae.src",
"relates_to_product_reference": "7Server-RH7-RHOS-12.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-role-redhat-subscription-0:1.0.1-4.el7ost.noarch as a component of Red Hat OpenStack Platform 12.0",
"product_id": "7Server-RH7-RHOS-12.0:ansible-role-redhat-subscription-0:1.0.1-4.el7ost.noarch"
},
"product_reference": "ansible-role-redhat-subscription-0:1.0.1-4.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-12.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-role-redhat-subscription-0:1.0.1-4.el7ost.src as a component of Red Hat OpenStack Platform 12.0",
"product_id": "7Server-RH7-RHOS-12.0:ansible-role-redhat-subscription-0:1.0.1-4.el7ost.src"
},
"product_reference": "ansible-role-redhat-subscription-0:1.0.1-4.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-12.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Tobias Henkel"
],
"organization": "BMW Car IT GmbH"
}
],
"cve": "CVE-2018-10855",
"cwe": {
"id": "CWE-532",
"name": "Insertion of Sensitive Information into Log File"
},
"discovery_date": "2018-06-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1588855"
}
],
"notes": [
{
"category": "description",
"text": "Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-12.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-12.0:ansible-0:2.4.6.0-1.el7ae.src",
"7Server-RH7-RHOS-12.0:ansible-role-redhat-subscription-0:1.0.1-4.el7ost.noarch",
"7Server-RH7-RHOS-12.0:ansible-role-redhat-subscription-0:1.0.1-4.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-10855"
},
{
"category": "external",
"summary": "RHBZ#1588855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588855"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-10855",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10855"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-10855",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10855"
},
{
"category": "external",
"summary": "https://github.com/ansible/ansible/pull/41414",
"url": "https://github.com/ansible/ansible/pull/41414"
}
],
"release_date": "2018-06-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-12-05T19:01:13+00:00",
"details": "Before applying this update, ensure all previously released errata relevant\nto your system have been applied.\n\nRed Hat OpenStack Platform 12 runs on Red Hat Enterprise Linux 7.5.\n\nThe Red Hat OpenStack Platform 12 Release Notes contain the following:\n* An explanation of the way in which the provided components interact to\nform a working cloud computing environment.\n* Technology Previews, Recommended Practices, and Known Issues.\n* The channels required for Red Hat OpenStack Platform 12, including which\nchannels need to be enabled and disabled.\n\nThe Release Notes are available at:\nhttps://access.redhat.com/documentation/en-us/red_hat_openstack_platform/12/html/release_notes/\n\nThis update is available through \u0027yum update\u0027 on systems registered through\nRed Hat Subscription Manager. For more information about Red Hat\nSubscription Manager, see:\n\nhttps://access.redhat.com/documentation/en-US/Red_Hat_Subscription_Management/1/html/RHSM/index.html",
"product_ids": [
"7Server-RH7-RHOS-12.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-12.0:ansible-0:2.4.6.0-1.el7ae.src",
"7Server-RH7-RHOS-12.0:ansible-role-redhat-subscription-0:1.0.1-4.el7ost.noarch",
"7Server-RH7-RHOS-12.0:ansible-role-redhat-subscription-0:1.0.1-4.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2018:3788"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-12.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-12.0:ansible-0:2.4.6.0-1.el7ae.src",
"7Server-RH7-RHOS-12.0:ansible-role-redhat-subscription-0:1.0.1-4.el7ost.noarch",
"7Server-RH7-RHOS-12.0:ansible-role-redhat-subscription-0:1.0.1-4.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs"
},
{
"acknowledgments": [
{
"names": [
"Michael Scherer"
],
"organization": "OSAS"
}
],
"cve": "CVE-2018-10874",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2018-06-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1596528"
}
],
"notes": [
{
"category": "description",
"text": "In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker\u0027s control, allowing to run arbitrary code as a result.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ansible: Inventory variables are loaded from current working directory when running ad-hoc command that can lead to code execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-12.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-12.0:ansible-0:2.4.6.0-1.el7ae.src",
"7Server-RH7-RHOS-12.0:ansible-role-redhat-subscription-0:1.0.1-4.el7ost.noarch",
"7Server-RH7-RHOS-12.0:ansible-role-redhat-subscription-0:1.0.1-4.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-10874"
},
{
"category": "external",
"summary": "RHBZ#1596528",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1596528"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-10874",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10874"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-10874",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10874"
}
],
"release_date": "2018-06-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-12-05T19:01:13+00:00",
"details": "Before applying this update, ensure all previously released errata relevant\nto your system have been applied.\n\nRed Hat OpenStack Platform 12 runs on Red Hat Enterprise Linux 7.5.\n\nThe Red Hat OpenStack Platform 12 Release Notes contain the following:\n* An explanation of the way in which the provided components interact to\nform a working cloud computing environment.\n* Technology Previews, Recommended Practices, and Known Issues.\n* The channels required for Red Hat OpenStack Platform 12, including which\nchannels need to be enabled and disabled.\n\nThe Release Notes are available at:\nhttps://access.redhat.com/documentation/en-us/red_hat_openstack_platform/12/html/release_notes/\n\nThis update is available through \u0027yum update\u0027 on systems registered through\nRed Hat Subscription Manager. For more information about Red Hat\nSubscription Manager, see:\n\nhttps://access.redhat.com/documentation/en-US/Red_Hat_Subscription_Management/1/html/RHSM/index.html",
"product_ids": [
"7Server-RH7-RHOS-12.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-12.0:ansible-0:2.4.6.0-1.el7ae.src",
"7Server-RH7-RHOS-12.0:ansible-role-redhat-subscription-0:1.0.1-4.el7ost.noarch",
"7Server-RH7-RHOS-12.0:ansible-role-redhat-subscription-0:1.0.1-4.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2018:3788"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-12.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-12.0:ansible-0:2.4.6.0-1.el7ae.src",
"7Server-RH7-RHOS-12.0:ansible-role-redhat-subscription-0:1.0.1-4.el7ost.noarch",
"7Server-RH7-RHOS-12.0:ansible-role-redhat-subscription-0:1.0.1-4.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "ansible: Inventory variables are loaded from current working directory when running ad-hoc command that can lead to code execution"
},
{
"acknowledgments": [
{
"names": [
"Brian Coca"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2018-10875",
"cwe": {
"id": "CWE-426",
"name": "Untrusted Search Path"
},
"discovery_date": "2018-06-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1596533"
}
],
"notes": [
{
"category": "description",
"text": "It was found that ansible.cfg is being read from the current working directory, which can be made to point to plugin or module paths that are under control of the attacker. This could allow an attacker to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ansible: ansible.cfg is being read from current working directory allowing possible code execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-12.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-12.0:ansible-0:2.4.6.0-1.el7ae.src",
"7Server-RH7-RHOS-12.0:ansible-role-redhat-subscription-0:1.0.1-4.el7ost.noarch",
"7Server-RH7-RHOS-12.0:ansible-role-redhat-subscription-0:1.0.1-4.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-10875"
},
{
"category": "external",
"summary": "RHBZ#1596533",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1596533"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-10875",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10875"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-10875",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10875"
}
],
"release_date": "2018-06-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-12-05T19:01:13+00:00",
"details": "Before applying this update, ensure all previously released errata relevant\nto your system have been applied.\n\nRed Hat OpenStack Platform 12 runs on Red Hat Enterprise Linux 7.5.\n\nThe Red Hat OpenStack Platform 12 Release Notes contain the following:\n* An explanation of the way in which the provided components interact to\nform a working cloud computing environment.\n* Technology Previews, Recommended Practices, and Known Issues.\n* The channels required for Red Hat OpenStack Platform 12, including which\nchannels need to be enabled and disabled.\n\nThe Release Notes are available at:\nhttps://access.redhat.com/documentation/en-us/red_hat_openstack_platform/12/html/release_notes/\n\nThis update is available through \u0027yum update\u0027 on systems registered through\nRed Hat Subscription Manager. For more information about Red Hat\nSubscription Manager, see:\n\nhttps://access.redhat.com/documentation/en-US/Red_Hat_Subscription_Management/1/html/RHSM/index.html",
"product_ids": [
"7Server-RH7-RHOS-12.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-12.0:ansible-0:2.4.6.0-1.el7ae.src",
"7Server-RH7-RHOS-12.0:ansible-role-redhat-subscription-0:1.0.1-4.el7ost.noarch",
"7Server-RH7-RHOS-12.0:ansible-role-redhat-subscription-0:1.0.1-4.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2018:3788"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-12.0:ansible-0:2.4.6.0-1.el7ae.noarch",
"7Server-RH7-RHOS-12.0:ansible-0:2.4.6.0-1.el7ae.src",
"7Server-RH7-RHOS-12.0:ansible-role-redhat-subscription-0:1.0.1-4.el7ost.noarch",
"7Server-RH7-RHOS-12.0:ansible-role-redhat-subscription-0:1.0.1-4.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "ansible: ansible.cfg is being read from current working directory allowing possible code execution"
}
]
}
rhsa-2018_2079
Vulnerability from csaf_redhat
Published
2018-06-28 05:21
Modified
2024-11-14 23:43
Summary
Red Hat Security Advisory: Red Hat Virtualization security, bug fix, and enhancement update
Notes
Topic
Updated redhat-virtualization-host packages that fix several bugs and add various enhancements are now available.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.
The ovirt-node-ng packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.
The following packages have been upgraded to a later upstream version: imgbased (1.0.20), redhat-release-virtualization-host (4.2), redhat-virtualization-host (4.2). (BZ#1590664)
Security Fix(es):
* ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs (CVE-2018-10855)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank Tobias Henkel (BMW Car IT GmbH) for reporting this issue.
Bug Fix(es):
* Previously, if systems were configured to skip Logical Volume Manager (LVM) clusters, imgbased sees output that is unrelated to the Logical Volumes that are being queried.
As a result, imgbased failed to parse the output, causing Red Hat Virtualization Host updates to fail.
In this release imgbased now ignores output from skipped clusters enabling imgbased LVM commands to return successfully. (BZ#1568414)
Enhancement(s):
* Starting from version 4.0, Red Hat Virtualization Hosts could not be deployed from Satellite, and therefore could not take advantage of Satellite's tooling features.
In this release, Red Hat Virtualization Hosts can now be deployed from Satellite 6.3.2 and later. (BZ#1484532)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated redhat-virtualization-host packages that fix several bugs and add various enhancements are now available.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host\u0027s resources and performing administrative tasks.\n\nThe ovirt-node-ng packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host\u0027s resources and performing administrative tasks.\n\nThe following packages have been upgraded to a later upstream version: imgbased (1.0.20), redhat-release-virtualization-host (4.2), redhat-virtualization-host (4.2). (BZ#1590664)\n\nSecurity Fix(es):\n\n* ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs (CVE-2018-10855)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Tobias Henkel (BMW Car IT GmbH) for reporting this issue.\n\nBug Fix(es):\n\n* Previously, if systems were configured to skip Logical Volume Manager (LVM) clusters, imgbased sees output that is unrelated to the Logical Volumes that are being queried.\n\nAs a result, imgbased failed to parse the output, causing Red Hat Virtualization Host updates to fail.\n\nIn this release imgbased now ignores output from skipped clusters enabling imgbased LVM commands to return successfully. (BZ#1568414)\n\nEnhancement(s):\n\n* Starting from version 4.0, Red Hat Virtualization Hosts could not be deployed from Satellite, and therefore could not take advantage of Satellite\u0027s tooling features.\n\nIn this release, Red Hat Virtualization Hosts can now be deployed from Satellite 6.3.2 and later. (BZ#1484532)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2018:2079",
"url": "https://access.redhat.com/errata/RHSA-2018:2079"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1484532",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1484532"
},
{
"category": "external",
"summary": "1534197",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1534197"
},
{
"category": "external",
"summary": "1568414",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1568414"
},
{
"category": "external",
"summary": "1588855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588855"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_2079.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Virtualization security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2024-11-14T23:43:26+00:00",
"generator": {
"date": "2024-11-14T23:43:26+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2018:2079",
"initial_release_date": "2018-06-28T05:21:07+00:00",
"revision_history": [
{
"date": "2018-06-28T05:21:07+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2018-06-28T05:21:07+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:43:26+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product": {
"name": "RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor"
}
}
},
{
"category": "product_name",
"name": "Red Hat Virtualization 4 Hypervisor for RHEL 7",
"product": {
"name": "Red Hat Virtualization 4 Hypervisor for RHEL 7",
"product_id": "7Server-RHEV-4-Hypervisor-7",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor"
}
}
}
],
"category": "product_family",
"name": "Red Hat Virtualization"
},
{
"branches": [
{
"category": "product_version",
"name": "redhat-virtualization-host-image-update-placeholder-0:4.2-4.3.el7.noarch",
"product": {
"name": "redhat-virtualization-host-image-update-placeholder-0:4.2-4.3.el7.noarch",
"product_id": "redhat-virtualization-host-image-update-placeholder-0:4.2-4.3.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-virtualization-host-image-update-placeholder@4.2-4.3.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-imgbased-0:1.0.20-0.1.el7ev.noarch",
"product": {
"name": "python-imgbased-0:1.0.20-0.1.el7ev.noarch",
"product_id": "python-imgbased-0:1.0.20-0.1.el7ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-imgbased@1.0.20-0.1.el7ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "imgbased-0:1.0.20-0.1.el7ev.noarch",
"product": {
"name": "imgbased-0:1.0.20-0.1.el7ev.noarch",
"product_id": "imgbased-0:1.0.20-0.1.el7ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/imgbased@1.0.20-0.1.el7ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "redhat-virtualization-host-image-update-0:4.2-20180622.0.el7_5.noarch",
"product": {
"name": "redhat-virtualization-host-image-update-0:4.2-20180622.0.el7_5.noarch",
"product_id": "redhat-virtualization-host-image-update-0:4.2-20180622.0.el7_5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-virtualization-host-image-update@4.2-20180622.0.el7_5?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "redhat-release-virtualization-host-0:4.2-4.3.el7.x86_64",
"product": {
"name": "redhat-release-virtualization-host-0:4.2-4.3.el7.x86_64",
"product_id": "redhat-release-virtualization-host-0:4.2-4.3.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-release-virtualization-host@4.2-4.3.el7?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "redhat-release-virtualization-host-0:4.2-4.3.el7.src",
"product": {
"name": "redhat-release-virtualization-host-0:4.2-4.3.el7.src",
"product_id": "redhat-release-virtualization-host-0:4.2-4.3.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-release-virtualization-host@4.2-4.3.el7?arch=src"
}
}
},
{
"category": "product_version",
"name": "imgbased-0:1.0.20-0.1.el7ev.src",
"product": {
"name": "imgbased-0:1.0.20-0.1.el7ev.src",
"product_id": "imgbased-0:1.0.20-0.1.el7ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/imgbased@1.0.20-0.1.el7ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "redhat-virtualization-host-0:4.2-20180622.0.el7_5.src",
"product": {
"name": "redhat-virtualization-host-0:4.2-20180622.0.el7_5.src",
"product_id": "redhat-virtualization-host-0:4.2-20180622.0.el7_5.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-virtualization-host@4.2-20180622.0.el7_5?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-virtualization-host-0:4.2-20180622.0.el7_5.src as a component of Red Hat Virtualization 4 Hypervisor for RHEL 7",
"product_id": "7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.2-20180622.0.el7_5.src"
},
"product_reference": "redhat-virtualization-host-0:4.2-20180622.0.el7_5.src",
"relates_to_product_reference": "7Server-RHEV-4-Hypervisor-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-virtualization-host-image-update-0:4.2-20180622.0.el7_5.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 7",
"product_id": "7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.2-20180622.0.el7_5.noarch"
},
"product_reference": "redhat-virtualization-host-image-update-0:4.2-20180622.0.el7_5.noarch",
"relates_to_product_reference": "7Server-RHEV-4-Hypervisor-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "imgbased-0:1.0.20-0.1.el7ev.noarch as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.0.20-0.1.el7ev.noarch"
},
"product_reference": "imgbased-0:1.0.20-0.1.el7ev.noarch",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "imgbased-0:1.0.20-0.1.el7ev.src as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.0.20-0.1.el7ev.src"
},
"product_reference": "imgbased-0:1.0.20-0.1.el7ev.src",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-imgbased-0:1.0.20-0.1.el7ev.noarch as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.0.20-0.1.el7ev.noarch"
},
"product_reference": "python-imgbased-0:1.0.20-0.1.el7ev.noarch",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-release-virtualization-host-0:4.2-4.3.el7.src as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.2-4.3.el7.src"
},
"product_reference": "redhat-release-virtualization-host-0:4.2-4.3.el7.src",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-release-virtualization-host-0:4.2-4.3.el7.x86_64 as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.2-4.3.el7.x86_64"
},
"product_reference": "redhat-release-virtualization-host-0:4.2-4.3.el7.x86_64",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-virtualization-host-image-update-placeholder-0:4.2-4.3.el7.noarch as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.2-4.3.el7.noarch"
},
"product_reference": "redhat-virtualization-host-image-update-placeholder-0:4.2-4.3.el7.noarch",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Tobias Henkel"
],
"organization": "BMW Car IT GmbH"
}
],
"cve": "CVE-2018-10855",
"cwe": {
"id": "CWE-532",
"name": "Insertion of Sensitive Information into Log File"
},
"discovery_date": "2018-06-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1588855"
}
],
"notes": [
{
"category": "description",
"text": "Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.2-20180622.0.el7_5.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.2-20180622.0.el7_5.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.0.20-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.0.20-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.0.20-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.2-4.3.el7.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.2-4.3.el7.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.2-4.3.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-10855"
},
{
"category": "external",
"summary": "RHBZ#1588855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588855"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-10855",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10855"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-10855",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10855"
},
{
"category": "external",
"summary": "https://github.com/ansible/ansible/pull/41414",
"url": "https://github.com/ansible/ansible/pull/41414"
}
],
"release_date": "2018-06-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-06-28T05:21:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.2-20180622.0.el7_5.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.2-20180622.0.el7_5.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.0.20-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.0.20-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.0.20-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.2-4.3.el7.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.2-4.3.el7.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.2-4.3.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2079"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.2-20180622.0.el7_5.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.2-20180622.0.el7_5.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.0.20-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.0.20-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.0.20-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.2-4.3.el7.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.2-4.3.el7.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.2-4.3.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs"
}
]
}
rhsa-2018_2022
Vulnerability from csaf_redhat
Published
2018-06-26 17:12
Modified
2024-11-14 23:43
Summary
Red Hat Security Advisory: ansible security and bug fix update
Notes
Topic
An update for ansible is now available for Red Hat Ansible Engine 2.4 for RHEL 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically.
The following packages have been upgraded to a newer upstream version: ansible (2.4.5)
Security fix(es):
* ansible: Ansible through version 2.5 does not properly honour the no_log option with failed task iterations. When a list of secret items is supplied to a task and a task iteration fails, secrets can be disclosed in logs despite the no_log option being enabled. (CVE-2018-10855)
Red Hat would like to thank Tobias Henkel (BMW Car IT GmbH) for reporting these issues.
Bug Fix(es):
* Fixed win_copy to preserve the global Ansible local tmp path instead of
deleting it when dealing with multiple files
(https://github.com/ansible/ansible/pull/37964)
* Fixed Windows setup.ps1 for slow performance in large domain environments
(https://github.com/ansible/ansible/pull/38646)
* Fixed eos_logging idempotency issue when trying to set both logging
destination & facility
(https://github.com/ansible/ansible/pull/40604)
* Fixed ios_logging idempotency issue when trying to set both logging
destination & facility
(https://github.com/ansible/ansible/pull/41076)
See https://github.com/ansible/ansible/blob/v2.4.5.0-1/CHANGELOG.md for details on this release.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for ansible is now available for Red Hat Ansible Engine 2.4 for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically.\n\nThe following packages have been upgraded to a newer upstream version: ansible (2.4.5)\n\nSecurity fix(es):\n\n* ansible: Ansible through version 2.5 does not properly honour the no_log option with failed task iterations. When a list of secret items is supplied to a task and a task iteration fails, secrets can be disclosed in logs despite the no_log option being enabled. (CVE-2018-10855)\n\nRed Hat would like to thank Tobias Henkel (BMW Car IT GmbH) for reporting these issues.\n\nBug Fix(es):\n\n* Fixed win_copy to preserve the global Ansible local tmp path instead of\n deleting it when dealing with multiple files\n (https://github.com/ansible/ansible/pull/37964)\n\n* Fixed Windows setup.ps1 for slow performance in large domain environments\n (https://github.com/ansible/ansible/pull/38646)\n\n* Fixed eos_logging idempotency issue when trying to set both logging \n destination \u0026 facility\n (https://github.com/ansible/ansible/pull/40604)\n\n* Fixed ios_logging idempotency issue when trying to set both logging \n destination \u0026 facility\n (https://github.com/ansible/ansible/pull/41076)\n\nSee https://github.com/ansible/ansible/blob/v2.4.5.0-1/CHANGELOG.md for details on this release.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2018:2022",
"url": "https://access.redhat.com/errata/RHSA-2018:2022"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1588855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588855"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_2022.json"
}
],
"title": "Red Hat Security Advisory: ansible security and bug fix update",
"tracking": {
"current_release_date": "2024-11-14T23:43:52+00:00",
"generator": {
"date": "2024-11-14T23:43:52+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2018:2022",
"initial_release_date": "2018-06-26T17:12:33+00:00",
"revision_history": [
{
"date": "2018-06-26T17:12:33+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2018-06-26T17:12:33+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T23:43:52+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Ansible Engine 2.4 for RHEL 7 Server",
"product": {
"name": "Red Hat Ansible Engine 2.4 for RHEL 7 Server",
"product_id": "7Server-Ansible-2.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ansible_engine:2.4::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Ansible Engine"
},
{
"branches": [
{
"category": "product_version",
"name": "ansible-doc-0:2.4.5.0-1.el7ae.noarch",
"product": {
"name": "ansible-doc-0:2.4.5.0-1.el7ae.noarch",
"product_id": "ansible-doc-0:2.4.5.0-1.el7ae.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible-doc@2.4.5.0-1.el7ae?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ansible-0:2.4.5.0-1.el7ae.noarch",
"product": {
"name": "ansible-0:2.4.5.0-1.el7ae.noarch",
"product_id": "ansible-0:2.4.5.0-1.el7ae.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible@2.4.5.0-1.el7ae?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "ansible-0:2.4.5.0-1.el7ae.src",
"product": {
"name": "ansible-0:2.4.5.0-1.el7ae.src",
"product_id": "ansible-0:2.4.5.0-1.el7ae.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible@2.4.5.0-1.el7ae?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-0:2.4.5.0-1.el7ae.noarch as a component of Red Hat Ansible Engine 2.4 for RHEL 7 Server",
"product_id": "7Server-Ansible-2.4:ansible-0:2.4.5.0-1.el7ae.noarch"
},
"product_reference": "ansible-0:2.4.5.0-1.el7ae.noarch",
"relates_to_product_reference": "7Server-Ansible-2.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-0:2.4.5.0-1.el7ae.src as a component of Red Hat Ansible Engine 2.4 for RHEL 7 Server",
"product_id": "7Server-Ansible-2.4:ansible-0:2.4.5.0-1.el7ae.src"
},
"product_reference": "ansible-0:2.4.5.0-1.el7ae.src",
"relates_to_product_reference": "7Server-Ansible-2.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-doc-0:2.4.5.0-1.el7ae.noarch as a component of Red Hat Ansible Engine 2.4 for RHEL 7 Server",
"product_id": "7Server-Ansible-2.4:ansible-doc-0:2.4.5.0-1.el7ae.noarch"
},
"product_reference": "ansible-doc-0:2.4.5.0-1.el7ae.noarch",
"relates_to_product_reference": "7Server-Ansible-2.4"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Tobias Henkel"
],
"organization": "BMW Car IT GmbH"
}
],
"cve": "CVE-2018-10855",
"cwe": {
"id": "CWE-532",
"name": "Insertion of Sensitive Information into Log File"
},
"discovery_date": "2018-06-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1588855"
}
],
"notes": [
{
"category": "description",
"text": "Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-Ansible-2.4:ansible-0:2.4.5.0-1.el7ae.noarch",
"7Server-Ansible-2.4:ansible-0:2.4.5.0-1.el7ae.src",
"7Server-Ansible-2.4:ansible-doc-0:2.4.5.0-1.el7ae.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-10855"
},
{
"category": "external",
"summary": "RHBZ#1588855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588855"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-10855",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10855"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-10855",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10855"
},
{
"category": "external",
"summary": "https://github.com/ansible/ansible/pull/41414",
"url": "https://github.com/ansible/ansible/pull/41414"
}
],
"release_date": "2018-06-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-06-26T17:12:33+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-Ansible-2.4:ansible-0:2.4.5.0-1.el7ae.noarch",
"7Server-Ansible-2.4:ansible-0:2.4.5.0-1.el7ae.src",
"7Server-Ansible-2.4:ansible-doc-0:2.4.5.0-1.el7ae.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2022"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-Ansible-2.4:ansible-0:2.4.5.0-1.el7ae.noarch",
"7Server-Ansible-2.4:ansible-0:2.4.5.0-1.el7ae.src",
"7Server-Ansible-2.4:ansible-doc-0:2.4.5.0-1.el7ae.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs"
}
]
}
gsd-2018-10855
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2018-10855",
"description": "Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.",
"id": "GSD-2018-10855",
"references": [
"https://www.suse.com/security/cve/CVE-2018-10855.html",
"https://www.debian.org/security/2019/dsa-4396",
"https://access.redhat.com/errata/RHSA-2019:0054",
"https://access.redhat.com/errata/RHBA-2018:3788",
"https://access.redhat.com/errata/RHSA-2018:2585",
"https://access.redhat.com/errata/RHSA-2018:2184",
"https://access.redhat.com/errata/RHSA-2018:2079",
"https://access.redhat.com/errata/RHSA-2018:2022",
"https://access.redhat.com/errata/RHSA-2018:1949",
"https://access.redhat.com/errata/RHSA-2018:1948",
"https://ubuntu.com/security/CVE-2018-10855",
"https://advisories.mageia.org/CVE-2018-10855.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2018-10855"
],
"details": "Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.",
"id": "GSD-2018-10855",
"modified": "2023-12-13T01:22:41.077476Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2018-10855",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ansible",
"version": {
"version_data": [
{
"version_value": "Ansible 2.4.5"
},
{
"version_value": "Ansible 2.5.5"
}
]
}
}
]
},
"vendor_name": "[UNKNOWN]"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "5.9/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-532"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2018:1949",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:1949"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855"
},
{
"name": "RHBA-2018:3788",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHBA-2018:3788"
},
{
"name": "RHSA-2018:1948",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:1948"
},
{
"name": "RHSA-2018:2184",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2184"
},
{
"name": "RHSA-2018:2022",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2022"
},
{
"name": "RHSA-2019:0054",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:0054"
},
{
"name": "RHSA-2018:2079",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2079"
},
{
"name": "RHSA-2018:2585",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2585"
},
{
"name": "DSA-4396",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2019/dsa-4396"
},
{
"name": "USN-4072-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4072-1/"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "==2.0||\u003e=2.4,\u003c2.4.5||\u003e2.5,\u003c=2.5.5",
"affected_versions": "Version 2.0, all versions starting from 2.4 before 2.4.5, all versions after 2.5 up to 2.5.5",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-532",
"CWE-937"
],
"date": "2019-07-25",
"description": "Ansible does not honor the `no_log` task flag for failed tasks. When the `no_log` flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.",
"fixed_versions": [
"2.0.0.1",
"2.4.5.0",
"2.5.6"
],
"identifier": "CVE-2018-10855",
"identifiers": [
"CVE-2018-10855"
],
"not_impacted": "All versions before 2.0, all versions after 2.0 before 2.4, all versions starting from 2.4.5 up to 2.5, all versions after 2.5.5",
"package_slug": "pypi/ansible",
"pubdate": "2018-07-03",
"solution": "Upgrade to versions 2.0.0.1, 2.4.5.0, 2.5.6 or above.",
"title": "Inclusion of Sensitive Information in Log Files",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2018-10855",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855"
],
"uuid": "bc541fd8-589a-4b40-a66e-ba4974abc749"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.5.5",
"versionStartExcluding": "2.5",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:ansible_engine:2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.4.5",
"versionStartIncluding": "2.4",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:openstack:12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2018-10855"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-532"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855"
},
{
"name": "RHSA-2018:2079",
"refsource": "REDHAT",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2079"
},
{
"name": "RHSA-2018:2022",
"refsource": "REDHAT",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2022"
},
{
"name": "RHSA-2018:1949",
"refsource": "REDHAT",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1949"
},
{
"name": "RHSA-2018:1948",
"refsource": "REDHAT",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1948"
},
{
"name": "RHSA-2018:2184",
"refsource": "REDHAT",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2184"
},
{
"name": "RHSA-2018:2585",
"refsource": "REDHAT",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2585"
},
{
"name": "RHBA-2018:3788",
"refsource": "REDHAT",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHBA-2018:3788"
},
{
"name": "RHSA-2019:0054",
"refsource": "REDHAT",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0054"
},
{
"name": "DSA-4396",
"refsource": "DEBIAN",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2019/dsa-4396"
},
{
"name": "USN-4072-1",
"refsource": "UBUNTU",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4072-1/"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6
}
},
"lastModifiedDate": "2021-08-04T17:14Z",
"publishedDate": "2018-07-03T01:29Z"
}
}
}
ghsa-jwcc-j78w-j73w
Vulnerability from github
Published
2018-10-10 17:23
Modified
2024-09-04 18:58
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
8.2 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
8.2 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
Ansible exposes sensitive data in log files and on the terminal
Details
Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0a1"
},
{
"fixed": "2.5.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0.0"
},
{
"fixed": "2.4.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-10855"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:44:13Z",
"nvd_published_at": "2018-07-03T01:29:00Z",
"severity": "MODERATE"
},
"details": "Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.",
"id": "GHSA-jwcc-j78w-j73w",
"modified": "2024-09-04T18:58:44Z",
"published": "2018-10-10T17:23:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10855"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2018:3788"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1948"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1949"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2022"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2079"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2184"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2585"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:0054"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-jwcc-j78w-j73w"
},
{
"type": "PACKAGE",
"url": "https://github.com/ansible/ansible"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-42.yaml"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4072-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4396"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Ansible exposes sensitive data in log files and on the terminal"
}
pysec-2018-42
Vulnerability from pysec
Published
2018-07-03 01:29
Modified
2021-07-02 02:41
Details
Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ansible",
"purl": "pkg:pypi/ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.5"
},
{
"fixed": "2.5.5"
},
{
"introduced": "2.4"
},
{
"fixed": "2.4.5.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.4.0.0",
"2.4.1.0",
"2.4.2.0",
"2.4.3.0",
"2.4.4.0",
"2.5.0",
"2.5.1",
"2.5.2",
"2.5.3",
"2.5.4"
]
}
],
"aliases": [
"CVE-2018-10855",
"GHSA-jwcc-j78w-j73w"
],
"details": "Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.",
"id": "PYSEC-2018-42",
"modified": "2021-07-02T02:41:34.017806Z",
"published": "2018-07-03T01:29:00Z",
"references": [
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2018:2079"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2018:2022"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2018:1949"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2018:1948"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2018:2184"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2018:2585"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHBA-2018:3788"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2019:0054"
},
{
"type": "ADVISORY",
"url": "https://www.debian.org/security/2019/dsa-4396"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4072-1/"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-jwcc-j78w-j73w"
}
]
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.