Bug 29558 - ansible new security issue CVE-2021-3620
Summary: ansible new security issue CVE-2021-3620
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-10-15 20:30 CEST by David Walser
Modified: 2021-10-23 12:06 CEST (History)
8 users (show)

See Also:
Source RPM: ansible-2.9.23-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-10-15 20:30:42 CEST
RedHat has issued an advisory on October 14:
https://access.redhat.com/errata/RHSA-2021:3872

The issue is fixed upstream in 2.9.27:
https://github.com/ansible/ansible/blob/v2.9.27/changelogs/CHANGELOG-v2.9.rst#id93
David Walser 2021-10-15 20:31:04 CEST

Status comment: (none) => Fixed upstream in 2.9.27

Comment 1 Nicolas Lécureuil 2021-10-16 15:50:43 CEST
New version in mageia 8:

src:
    - ansible-2.9.27-1.mga8

Assignee: bugsquad => qa-bugs
Status comment: Fixed upstream in 2.9.27 => (none)
CC: (none) => bruno.cornec, mageia

Comment 2 Herman Viaene 2021-10-18 12:34:33 CEST
MGA8-64 Plasma on Lenovo B50
No installation issues
The commands as shown in bug 28832 do not work anymore, I get:
$ ansible i ~/tmp/hosts all -m ping
usage: ansible [-h] [--version] [-v] [-b] [--become-method BECOME_METHOD] [--become-user BECOME_USER] [-K] [-i INVENTORY] [--list-hosts] [-l SUBSET] [-P POLL_INTERVAL] [-B SECONDS] [-o] [-t TREE] [-k]
               [--private-key PRIVATE_KEY_FILE] [-u REMOTE_USER] [-c CONNECTION] [-T TIMEOUT] [--ssh-common-args SSH_COMMON_ARGS] [--sftp-extra-args SFTP_EXTRA_ARGS] [--scp-extra-args SCP_EXTRA_ARGS]
               [--ssh-extra-args SSH_EXTRA_ARGS] [-C] [--syntax-check] [-D] [-e EXTRA_VARS] [--vault-id VAULT_IDS] [--ask-vault-pass | --vault-password-file VAULT_PASSWORD_FILES] [-f FORKS] [-M MODULE_PATH]
               [--playbook-dir BASEDIR] [-a MODULE_ARGS] [-m MODULE_NAME]
               pattern
ansible: error: unrecognized arguments: /home/tester8/tmp/hosts all

Reading https://www.digitalocean.com/community/cheatsheets/how-to-use-ansible-cheat-sheet-guide I fill in two FQDN's from my LAN, and althuogh I can successfully login with the ssh command,I get
$ ansible  all -u herman -m ping --ask-pass
SSH password: <entered password>
mach1.hviaene.thuis | FAILED! => {
    "msg": "Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this.  Please add this host's fingerprint to your known_hosts file to manage this host."
}
mach5.hviaene.thuis | UNREACHABLE! => {
    "changed": false,
    "msg": "Invalid/incorrect password: ",
    "unreachable": true
}

That's all beyond me.

CC: (none) => herman.viaene

Comment 3 Bruno Cornec 2021-10-19 00:35:00 CEST
You need -i ~/tmp/hosts

CC: (none) => bruno

Comment 4 Len Lawrence 2021-10-19 13:04:15 CEST
Trouble with this here also, before the update.
$ rpm -q ansible
ansible-2.9.24-1.mga8
$ ansible -m ping -i ~/tmp/hosts all
192.168.1.aaa | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: lcl@192.168.1.aaa: Permission denied (publickey,password,keyboard-interactive).",
    "unreachable": true
}
192.168.1.bbb | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: lcl@192.168.1.bbb: Permission denied (publickey,password,keyboard-interactive).",
    "unreachable": true
}

The last time this was tried those nodes worked with ansible.  Commandline pings work and so do ssh logins.  The trouble in ansible definitely points to SSH authentication.  It works for the user but not for ansible.  Compared fingerprints on the remote machine with the local machine but found there were four for the home machine, different fingerprints for a.b.c.d,  localhost, named node and named.local.  Too confusing to check which was which.
As a last resort I copied the local ids to the target machine and that seemed to do the trick.
$ ssh-copy-id <user@remote>

$ ansible -m ping all -i ~/tmp/hosts
Enter passphrase for key '/home/lcl/.ssh/id_rsa': 192.168.1.bbb | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: lcl@192.168.1.bbb: Permission denied (publickey,password,keyboard-interactive).",
    "unreachable": true
}
[WARNING]: Platform linux on host 192.168.1.aaa is using the discovered Python
interpreter at /usr/bin/python, but future installation of another Python
interpreter could change this. See https://docs.ansible.com/ansible/2.9/referen
ce_appendices/interpreter_discovery.html for more information.
192.168.1.aaa | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}

I shall carry on in this vein and report back.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2021-10-19 13:16:36 CEST
Updated the ids on both remote machines and checked ansible with the ping command.    On first use each host requires the passphrase for the public key.  Working fine.
Updated for x86_64 and ran the simple check again.  

$ ansible -m ping all -i ~/tmp/hosts
[WARNING]: Platform linux on host 192.168.1.aaa is using the discovered Python
interpreter at /usr/bin/python, but future installation of another Python
interpreter could change this. See https://docs.ansible.com/ansible/2.9/referen
ce_appendices/interpreter_discovery.html for more information.
192.168.1.aaa | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
[WARNING]: Platform linux on host 192.168.1.bbb is using the discovered Python
interpreter at /usr/bin/python, but future installation of another Python
interpreter could change this. See https://docs.ansible.com/ansible/2.9/referen
ce_appendices/interpreter_discovery.html for more information.
192.168.1.bbb | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}

This is a very basic test for ansible and it has always been accepted in the past so it gets the OK.  Thanks Herman.

Whiteboard: (none) => MGA8-64-OK

Comment 6 Thomas Andrews 2021-10-21 03:31:23 CEST
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-10-23 03:23:16 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2021-10-23 12:06:57 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0487.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.