Bug 28832 - ansible new security issues CVE-2021-3447 and CVE-2021-3583
Summary: ansible new security issues CVE-2021-3447 and CVE-2021-3583
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2021-04-23 17:46 CEST by David Walser
Modified: 2021-09-13 02:03 CEST (History)
7 users (show)

See Also:
Source RPM: ansible-2.9.18-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-04-23 17:46:56 CEST
RedHat has issued an advisory on April 22:
https://access.redhat.com/errata/RHSA-2021:1343

The issue is fixed upstream in 2.8.20 and 2.9.20:
https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst#id62
https://github.com/ansible/ansible/blob/v2.9.20/changelogs/CHANGELOG-v2.9.rst#id72

I'm not if it affects 2.7.x, as it's not supported upstream anymore.
David Walser 2021-04-23 17:47:11 CEST

Status comment: (none) => Fixed upstream in 2.9.20
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Lewis Smith 2021-04-23 20:04:30 CEST
Assigning to NicolasL (did the 2.9.18 commit); CC'ing Bruno whose SRPM this nominally is.

Assignee: bugsquad => mageia
CC: (none) => bruno

Comment 2 David Walser 2021-04-27 19:47:46 CEST
Another equivalent advisory:
https://access.redhat.com/errata/RHSA-2021:1342
Comment 3 Bruno Cornec 2021-05-03 12:00:55 CEST
Updates for cauldron and mga8 on their way. Looking at what to do for mga7

Status: NEW => ASSIGNED

Bruno Cornec 2021-05-03 12:01:08 CEST

Assignee: mageia => bruno

Comment 4 Bruno Cornec 2021-05-29 10:03:32 CEST
ansible 2.9.22 pushed to cauldron and mga8
Comment 5 Bruno Cornec 2021-05-29 10:14:22 CEST
For mga7 there is a need to apply the patch available here and adapt it:
https://github.com/ansible-collections/community.network/pull/223/files
Comment 6 David Walser 2021-05-30 04:57:29 CEST
ansible-2.9.22-1.mga8 uploaded to updates_testing by Bruno.

Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8
Status comment: Fixed upstream in 2.9.20 => Fixed upstream in 2.8.20

Comment 7 David Walser 2021-06-22 01:09:41 CEST
(In reply to Bruno Cornec from comment #5)
> For mga7 there is a need to apply the patch available here and adapt it:
> https://github.com/ansible-collections/community.network/pull/223/files

Ping Bruno.
Comment 8 David Walser 2021-06-24 04:15:01 CEST
SUSE has issued an advisory for this on June 22:
https://lists.suse.com/pipermail/sle-security-updates/2021-June/009066.html
Comment 9 David Walser 2021-07-01 18:50:30 CEST
Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Mageia 8 update is already in updates_testing, assigning to QA.

Assignee: bruno => qa-bugs
Whiteboard: MGA7TOO => (none)
Status comment: Fixed upstream in 2.8.20 => (none)

Comment 10 David Walser 2021-07-04 00:43:05 CEST
Fedora has issued an advisory on July 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WV7F6HL3DG7SHWHJMGWD3ZDJRAB65XNU/

The issue is fixed upstream in 2.9.23.

Mageia 8 is also affected.

Status comment: (none) => Fixed upstream in 2.9.23
Summary: ansible new security issue CVE-2021-3447 => ansible new security issues CVE-2021-3447 and CVE-2021-3583
Assignee: qa-bugs => bruno

Comment 11 David Walser 2021-07-07 15:40:40 CEST
RedHat has issued an advisory for the new CVE today (July 7):
https://access.redhat.com/errata/RHSA-2021:2664
Comment 12 Nicolas Lécureuil 2021-07-22 16:07:37 CEST
fixed in mga8/9

src:
    - ansible-2.9.23-1.mga8

Assignee: bruno => qa-bugs
Status comment: Fixed upstream in 2.9.23 => (none)
CC: (none) => mageia

Comment 13 Aurelien Oudelet 2021-07-23 10:58:30 CEST
Advisory:
========================

Updated ansible package fixes security vulnerabilities:

A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes,
as well as being made visible on the controller node when run in verbose mode.
These parameters were not protected by the no_log feature. An attacker can take
advantage of this information to steal those credentials, provided when they have access to the log files containing them. The highest threat from this
vulnerability is to data confidentiality. This flaw affects Red Hat Ansible
Automation Platform in versions before 1.2.2 and Ansible Tower in versions before
3.8.2 (CVE-2021-3447).

A flaw was found in Ansible, where a user's controller is vulnerable to template
injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information.
The highest threat from this vulnerability is to confidentiality and integrity
(CVE-2021-3583).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=28832
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3447
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3583
 - https://access.redhat.com/errata/RHSA-2021:1342
 - https://access.redhat.com/errata/RHSA-2021:1343
 - https://access.redhat.com/errata/RHSA-2021:2664
 - https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst#id62
 - https://github.com/ansible/ansible/blob/v2.9.20/changelogs/CHANGELOG-v2.9.rst#id72
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WV7F6HL3DG7SHWHJMGWD3ZDJRAB65XNU/
========================

Updated package in core/updates_testing:
========================
ansible-2.9.23-1.mga8

from SRPM:
ansible-2.9.23-1.mga8.src.rpm

CC: (none) => ouaurelien

Comment 15 Herman Viaene 2021-07-27 16:14:40 CEST
MGA8-64 Plasma on Lenovo B50
No installation issues.
Ref bug 28436 for tests, but run into problems.
Created ~/tmp/hosts file containing pattern like /etc/hosts (which I normally do not use as I run a DNS server on my desktop PC).
Along this line
<IP-address> <name> <FQDN>
Now at CLI:
$ ansible i ~/tmp/hosts all -m ping
usage: ansible [-h] [--version] [-v] [-b] [--become-method BECOME_METHOD] [--become-user BECOME_USER] [-K] [-i INVENTORY] [--list-hosts] [-l SUBSET] [-P POLL_INTERVAL] [-B SECONDS] [-o]
               [-t TREE] [-k] [--private-key PRIVATE_KEY_FILE] [-u REMOTE_USER] [-c CONNECTION] [-T TIMEOUT] [--ssh-common-args SSH_COMMON_ARGS] [--sftp-extra-args SFTP_EXTRA_ARGS]
               [--scp-extra-args SCP_EXTRA_ARGS] [--ssh-extra-args SSH_EXTRA_ARGS] [-C] [--syntax-check] [-D] [-e EXTRA_VARS] [--vault-id VAULT_IDS]
               [--ask-vault-pass | --vault-password-file VAULT_PASSWORD_FILES] [-f FORKS] [-M MODULE_PATH] [--playbook-dir BASEDIR] [-a MODULE_ARGS] [-m MODULE_NAME]
               pattern
ansible: error: unrecognized arguments: /home/tester8/tmp/hosts all

And in the help I get a.o.
-i INVENTORY, --inventory INVENTORY, --inventory-file INVENTORY
                        specify inventory host path or comma separated host list. --inventory-file is deprecated


I'm stuck here.

CC: (none) => herman.viaene

Comment 16 Bruno Cornec 2021-07-28 22:23:43 CEST
ansible -i rather
Comment 17 Len Lawrence 2021-07-30 19:59:10 CEST
mga8, x64

Checked ansible before updating, using a two entry hosts file.
Updated  via qarepo/MageiaUpdate and tried again and saw a failure on the first address, just as before.

$ ansible -i tmp/hosts all -u lcl -m ping
<fileserver> | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: lcl@<fileserver>: Permission denied (publickey,password,keyboard-interactive).",
    "unreachable": true
}
[WARNING]: Platform linux on host <production> is using the discovered Python
interpreter at /usr/bin/python, but future installation of another Python
interpreter could change this. See https://docs.ansible.com/ansible/2.9/referen
ce_appendices/interpreter_discovery.html for more information.
<production> | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}

No idea why this happens - ssh logins to the first address succeed without fuss.

So, as far as I can see ansible works about as well as it ever did.

CC: (none) => tarazed25

Comment 18 Len Lawrence 2021-09-10 21:14:40 CEST
Never been happy with this application, suspecting that it is my primitive implementation of SSL security that causes problems when I try the simple test.
The update has been hanging about long enough so let's send it on.

Whiteboard: (none) => MGA8-64-OK

Comment 19 Thomas Andrews 2021-09-13 02:03:23 CEST
Validating. Advisory information on Comment 13 and Comment 14.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update


Note You need to log in before you can comment on or make changes to this bug.