rhba-2020_4195
Vulnerability from csaf_redhat
Published
2020-10-06 19:24
Modified
2024-09-13 18:09
Summary
Red Hat Bug Fix Advisory: Ansible 2.8.16 release for Ansible Engine 2.8
Notes
Topic
Ansible 2.8.16 release for Ansible Engine 2.8
Details
Ansible is a simple model-driven configuration management, multi-node
deployment, and remote-task execution system. Ansible works over SSH and
does not require any software or daemons to be installed on remote nodes.
Extension modules can be written in any language and are transferred to
managed machines automatically.
The following packages have been upgraded to a newer upstream version:
ansible (2.8.16)
Bug Fix(es):
See:
https://github.com/ansible/ansible/blob/v2.8.16/changelogs/CHANGELOG-v2.8.rst
for details on bug fixes in this release.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Ansible 2.8.16 release for Ansible Engine 2.8",
"title": "Topic"
},
{
"category": "general",
"text": "Ansible is a simple model-driven configuration management, multi-node\ndeployment, and remote-task execution system. Ansible works over SSH and\ndoes not require any software or daemons to be installed on remote nodes.\nExtension modules can be written in any language and are transferred to\nmanaged machines automatically.\n\nThe following packages have been upgraded to a newer upstream version:\nansible (2.8.16)\n\nBug Fix(es):\n\nSee:\nhttps://github.com/ansible/ansible/blob/v2.8.16/changelogs/CHANGELOG-v2.8.rst\nfor details on bug fixes in this release.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHBA-2020:4195",
"url": "https://access.redhat.com/errata/RHBA-2020:4195"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/data/csaf/v2/advisories/2020/rhba-2020_4195.json"
}
],
"title": "Red Hat Bug Fix Advisory: Ansible 2.8.16 release for Ansible Engine 2.8",
"tracking": {
"current_release_date": "2024-09-13T18:09:33+00:00",
"generator": {
"date": "2024-09-13T18:09:33+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "3.33.3"
}
},
"id": "RHBA-2020:4195",
"initial_release_date": "2020-10-06T19:24:34+00:00",
"revision_history": [
{
"date": "2020-10-06T19:24:34+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-10-06T19:24:34+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-09-13T18:09:33+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Ansible Engine 2.8 for RHEL 7 Server",
"product": {
"name": "Red Hat Ansible Engine 2.8 for RHEL 7 Server",
"product_id": "7Server-Ansible-2.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ansible_engine:2.8::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Ansible Engine 2.8 for RHEL 8",
"product": {
"name": "Red Hat Ansible Engine 2.8 for RHEL 8",
"product_id": "8Base-Ansible-2.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ansible_engine:2.8::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Ansible Engine"
},
{
"branches": [
{
"category": "product_version",
"name": "ansible-0:2.8.16-1.el7ae.noarch",
"product": {
"name": "ansible-0:2.8.16-1.el7ae.noarch",
"product_id": "ansible-0:2.8.16-1.el7ae.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible@2.8.16-1.el7ae?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ansible-0:2.8.16-1.el8ae.noarch",
"product": {
"name": "ansible-0:2.8.16-1.el8ae.noarch",
"product_id": "ansible-0:2.8.16-1.el8ae.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible@2.8.16-1.el8ae?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "ansible-0:2.8.16-1.el7ae.src",
"product": {
"name": "ansible-0:2.8.16-1.el7ae.src",
"product_id": "ansible-0:2.8.16-1.el7ae.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible@2.8.16-1.el7ae?arch=src"
}
}
},
{
"category": "product_version",
"name": "ansible-0:2.8.16-1.el8ae.src",
"product": {
"name": "ansible-0:2.8.16-1.el8ae.src",
"product_id": "ansible-0:2.8.16-1.el8ae.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible@2.8.16-1.el8ae?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-0:2.8.16-1.el7ae.noarch as a component of Red Hat Ansible Engine 2.8 for RHEL 7 Server",
"product_id": "7Server-Ansible-2.8:ansible-0:2.8.16-1.el7ae.noarch"
},
"product_reference": "ansible-0:2.8.16-1.el7ae.noarch",
"relates_to_product_reference": "7Server-Ansible-2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-0:2.8.16-1.el7ae.src as a component of Red Hat Ansible Engine 2.8 for RHEL 7 Server",
"product_id": "7Server-Ansible-2.8:ansible-0:2.8.16-1.el7ae.src"
},
"product_reference": "ansible-0:2.8.16-1.el7ae.src",
"relates_to_product_reference": "7Server-Ansible-2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-0:2.8.16-1.el8ae.noarch as a component of Red Hat Ansible Engine 2.8 for RHEL 8",
"product_id": "8Base-Ansible-2.8:ansible-0:2.8.16-1.el8ae.noarch"
},
"product_reference": "ansible-0:2.8.16-1.el8ae.noarch",
"relates_to_product_reference": "8Base-Ansible-2.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-0:2.8.16-1.el8ae.src as a component of Red Hat Ansible Engine 2.8 for RHEL 8",
"product_id": "8Base-Ansible-2.8:ansible-0:2.8.16-1.el8ae.src"
},
"product_reference": "ansible-0:2.8.16-1.el8ae.src",
"relates_to_product_reference": "8Base-Ansible-2.8"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Abhijeet Kasurde"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2020-1753",
"cwe": {
"id": "CWE-532",
"name": "Insertion of Sensitive Information into Log File"
},
"discovery_date": "2020-03-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1811008"
}
],
"notes": [
{
"category": "description",
"text": "A security flaw was found in the Ansible Engine when managing Kubernetes using the k8s connection plugin. Sensitive parameters such as passwords and tokens are passed to the kubectl command line instead of using environment variables or an input configuration file, which is safer. This flaw discloses passwords and tokens from the process list, and the no_log directive from the debug module would not be reflected in the underlying command-line tools options, displaying passwords and tokens on stdout and log files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Ansible: kubectl connection plugin leaks sensitive information",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Ansible Engine 2.7.17, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\nAnsible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\nIn Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-Ansible-2.8:ansible-0:2.8.16-1.el7ae.noarch",
"7Server-Ansible-2.8:ansible-0:2.8.16-1.el7ae.src",
"8Base-Ansible-2.8:ansible-0:2.8.16-1.el8ae.noarch",
"8Base-Ansible-2.8:ansible-0:2.8.16-1.el8ae.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-1753"
},
{
"category": "external",
"summary": "RHBZ#1811008",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1811008"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-1753",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1753"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1753",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1753"
}
],
"release_date": "2020-03-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-Ansible-2.8:ansible-0:2.8.16-1.el7ae.noarch",
"7Server-Ansible-2.8:ansible-0:2.8.16-1.el7ae.src",
"8Base-Ansible-2.8:ansible-0:2.8.16-1.el8ae.noarch",
"8Base-Ansible-2.8:ansible-0:2.8.16-1.el8ae.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2020:4195"
},
{
"category": "workaround",
"details": "Currently, there is no mitigation for this issue.",
"product_ids": [
"7Server-Ansible-2.8:ansible-0:2.8.16-1.el7ae.noarch",
"7Server-Ansible-2.8:ansible-0:2.8.16-1.el7ae.src",
"8Base-Ansible-2.8:ansible-0:2.8.16-1.el8ae.noarch",
"8Base-Ansible-2.8:ansible-0:2.8.16-1.el8ae.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-Ansible-2.8:ansible-0:2.8.16-1.el7ae.noarch",
"7Server-Ansible-2.8:ansible-0:2.8.16-1.el7ae.src",
"8Base-Ansible-2.8:ansible-0:2.8.16-1.el8ae.noarch",
"8Base-Ansible-2.8:ansible-0:2.8.16-1.el8ae.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Ansible: kubectl connection plugin leaks sensitive information"
}
]
}
Loading...