| Summary: | ansible new security issues CVE-2021-20178, CVE-2021-20180, CVE-2021-20191, CVE-2021-20228 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, bruno, davidwhodgins, mageia, mageia, ouaurelien, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7TOO MGA8-64-OK MGA7-64-OK | ||
| Source RPM: | ansible-2.9.16-1.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2021-02-24 22:31:28 CET
David Walser
2021-02-24 22:31:44 CET
Status comment:
(none) =>
Fixed upstream in 2.9.18 new version pushed in mageia 8.
src:
ansible-2.9.18-1.mga8
ansible-2.9.18-1.mga9 pushed in cauldron.
I am looking to backport the patches in mageia 7CC:
(none) =>
mageia Lightning work, Nicolas. Assigning this to you since you have already mostly done it. Assignee:
bugsquad =>
mageia That may be exceedingly difficult this time. Whiteboard:
MGA8TOO, MGA7TOO =>
MGA7TOO mga7 is not affected by CVE-2021-20180, we do not have bitbucket module. Fixes for :
- CVE-2021-20178
- CVE-2021-20191
- CVE-2021-20228
are in the new ansible rpm.
src:
ansible-2.7.18-1.1.mga7Assignee:
mageia =>
qa-bugs
David Walser
2021-02-27 17:58:22 CET
Status comment:
Fixed upstream in 2.9.18 =>
(none) Advisory (Mageia 7): ======================== Updated ansible package fixes security vulnerabilities: User data leak in snmp_facts module (CVE-2021-20178). Multiple collections exposed secured values (CVE-2021-20191). In basic.py, no_log with fallback option (CVE-2021-20228). The ansible package has been patched to fix these issues. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20178 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20191 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20228 https://access.redhat.com/errata/RHSA-2021:0664 Advisory (Mageia 8): ======================== Updated ansible package fixes security vulnerabilities: User data leak in snmp_facts module (CVE-2021-20178). The bitbucket_pipeline_variable module exposed secured values (CVE-2021-20180). Multiple collections exposed secured values (CVE-2021-20191). In basic.py, no_log with fallback option (CVE-2021-20228). The ansible package has been updated to version 2.9.18, fixing these issues and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20178 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20180 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20191 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20228 https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#id64 https://access.redhat.com/errata/RHSA-2021:0664 mga8, x64
Found no PoC for the CVEs in RedHat Bugzilla.
Before update:
Installed ansible.
Created ~/tmp/hosts containing URLs for three nodes on the LAN starting with the home system.
$ sudo urpmi sshpass
$ ansible -k -i ~/tmp/hosts all -m ping
SSH password:
127.0.0.1 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\nIT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!\r\nSomeone could be eavesdropping on you right now (man-in-the-middle attack)!\r\nIt is also possible that a host key has just been changed.\r\nThe fingerprint for the ECDSA key sent by the remote host is\nSHA256:<.......................................>.\r\nPlease contact your system administrator.\r\nAdd correct host key in /home/lcl/.ssh/known_hosts to get rid of this message.\r\nOffending ECDSA key in /home/lcl/.ssh/known_hosts:26\r\nECDSA host key for 192.168.1.aaa has changed and you have requested strict checking.\r\nHost key verification failed.",
"unreachable": true
}
[WARNING]: Platform linux on host 192.168.1.bbb is using the discovered Python
interpreter at /usr/bin/python, but future installation of another Python
interpreter could change this. See https://docs.ansible.com/ansible/2.9/referen
ce_appendices/interpreter_discovery.html for more information.
192.168.1.bbb | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
[WARNING]: Platform linux on host 192.168.1.ccc is using the discovered Python
interpreter at /usr/bin/python, but future installation of another Python
interpreter could change this. See https://docs.ansible.com/ansible/2.9/referen
ce_appendices/interpreter_discovery.html for more information.
192.168.1.ccc | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
So, remote hosts are accessible but localhost is not. Nothing has changed there.
Updated ansible.
Repeated the ping test, which returned the same results.
$ ansible -k -i ~/tmp/hosts all -a "/home/lcl/bin/chex"
SSH password:
.......
No result for localhost - maybe ansible is not intended to run jobs on the local machine. Removing the local address anyway. But note that for bug 26125 the job succeeded on localhost. Regression? or something different in the setup.
The jobs worked for the other machines though - a bash environment was set up and a gui launched on the two remote monitors. ansible terminated when these widgets were removed.
$ ansible -k -i ~/tmp/hosts all -a "mate-terminal -e 'inxi -b'"
SSH password:
[WARNING]: Platform linux on host 192.168.1.bbb is using the discovered Python
interpreter at /usr/bin/python, but future installation of another Python
interpreter could change this. See https://docs.ansible.com/ansible/2.9/referen
ce_appendices/interpreter_discovery.html for more information.
192.168.1.bbb | FAILED | rc=255 >>
non-zero return code
[WARNING]: Platform linux on host 192.168.1.ccc is using the discovered Python
interpreter at /usr/bin/python, but future installation of another Python
interpreter could change this. See https://docs.ansible.com/ansible/2.9/referen
ce_appendices/interpreter_discovery.html for more information.
192.168.1.ccc | FAILED | rc=255 >>
non-zero return code
These jobs returned results all on the local monitor, each job crashing. That happened before so it is not a regression. The command runs inxi and fails in the same way if invoked on each machine from the command line, with or without ampersands.
ansible is designed for administration jobs so errors are bound to happen when an unskilled user tries it. It looks like the application works in principle so we can wave it on.Whiteboard:
MGA7TOO =>
MGA7TOO MGA8-64-OK Installed and tested without issues.
Tested on several nodes in containers and QEMU/KVM VM.
Tested a few commands and it seems to be working as intended.
I don't usually use ansible so I don't have an elaborate setup where I can actually test it more exhaustively.
System: Mageia 7, x86_64, Intel CPU.
$ uname -a
Linux marte 5.10.20-desktop-2.mga7 #1 SMP Fri Mar 5 20:47:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q ansible
ansible-2.7.18-1.2.mga7
$ ansible all -m ping
marte.local | SUCCESS => {
"changed": false,
"ping": "pong"
}
marte-co-mageia-7.local | SUCCESS => {
"changed": false,
"ping": "pong"
}
marte-co-fedora-32.local | SUCCESS => {
"changed": false,
"ping": "pong"
}
marte-co-mageia-8.local | SUCCESS => {
"changed": false,
"ping": "pong"
}
marte-vm-mageia-7.local | SUCCESS => {
"changed": false,
"ping": "pong"
}
marte-co-mageia-cauldron.local | SUCCESS => {
"changed": false,
"ping": "pong"
}
marte-vm-mageia-8.local | SUCCESS => {
"changed": false,
"ping": "pong"
}
$ ansible all -a "uname -a"
marte-co-mageia-8.local | CHANGED | rc=0 >>
Linux marte-co-mageia-8 5.10.20-desktop-2.mga7 #1 SMP Fri Mar 5 20:47:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
marte-co-mageia-7.local | CHANGED | rc=0 >>
Linux marte-co-mageia-7 5.10.20-desktop-2.mga7 #1 SMP Fri Mar 5 20:47:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
marte-co-fedora-32.local | CHANGED | rc=0 >>
Linux marte-co-fedora-32 5.10.20-desktop-2.mga7 #1 SMP Fri Mar 5 20:47:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
marte-co-mageia-cauldron.local | CHANGED | rc=0 >>
Linux marte-co-mageia-cauldron 5.10.20-desktop-2.mga7 #1 SMP Fri Mar 5 20:47:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
marte.local | CHANGED | rc=0 >>
Linux marte 5.10.20-desktop-2.mga7 #1 SMP Fri Mar 5 20:47:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
marte-vm-mageia-7.local | CHANGED | rc=0 >>
Linux marte-vm-mageia-7 5.10.20-desktop-2.mga7 #1 SMP Fri Mar 5 20:47:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
marte-vm-mageia-8.local | CHANGED | rc=0 >>
Linux marte-vm-mageia-8 5.10.20-desktop-2.mga8 #1 SMP Fri Mar 5 18:23:13 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ ansible all -a "systemd --version"
marte.local | CHANGED | rc=0 >>
systemd 241 (241)
+PAM +AUDIT -SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN -PCRE2 default-hierarchy=hybrid
marte-co-mageia-7.local | CHANGED | rc=0 >>
systemd 241 (241)
+PAM +AUDIT -SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN -PCRE2 default-hierarchy=hybrid
marte-co-fedora-32.local | FAILED | rc=2 >>
[Errno 2] No such file or directory: 'systemd'
marte-co-mageia-cauldron.local | CHANGED | rc=0 >>
systemd 246 (246)
+PAM +AUDIT -SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN -PCRE2 default-hierarchy=unified
marte-co-mageia-8.local | CHANGED | rc=0 >>
systemd 246 (246)
+PAM +AUDIT -SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN -PCRE2 default-hierarchy=unified
marte-vm-mageia-7.local | CHANGED | rc=0 >>
systemd 241 (241)
+PAM +AUDIT -SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN -PCRE2 default-hierarchy=hybrid
marte-vm-mageia-8.local | CHANGED | rc=0 >>
systemd 246 (246)
+PAM +AUDIT -SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN -PCRE2 default-hierarchy=unifiedCC:
(none) =>
mageia Validating. Advisory in Comment 6. Keywords:
(none) =>
validated_update Advisories committed to svn using ... [dave@x3 advisories]$ svn ci -m 'Adding mga7 security update for ansible mga#28436' Adding 28436.mga7.adv Transmitting file data .done Committing transaction... Committed revision 11475. [dave@x3 advisories]$ mgaadv new security 28436.mga8 ansible [dave@x3 advisories]$ svn add 28436.mga8.adv A 28436.mga8.adv [dave@x3 advisories]$ svn ci -m 'Adding mga8 security update for ansible mga#28436' Adding 28436.mga8.adv Transmitting file data .done Committing transaction... Committed revision 11476. Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0131.html Status:
NEW =>
RESOLVED An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0132.html |