Bug 13484

Summary: [CVE 21] ansible 2.9.10 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: a.proklov, e.kosachev, i.gaptrakhmanov, m.novosyolov, pastordidi, s.matveev, v.potapov, y.tumanov
Version: AllFlags: v.potapov: qa_verified+
y.tumanov: secteam_verified+
a.proklov: published+
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2021-20178, CVE-2021-20180, CVE-2021-20191, CVE-2022-3697,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-08-23 16:17:40 MSK 
Please patch CVEs for package ansible version 2.9.10  
INFO (CVEs are): ansible 2.9.10 cves found
CVE-2021-20178
Desc: A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-20178
Severity: MEDIUM
CVE-2021-20180
Desc: A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-20180
Severity: MEDIUM
CVE-2021-20191
Desc: A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-20191
Severity: MEDIUM
CVE-2022-3697
Desc: A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-3697
Severity: HIGH
Comment 1 ilfat 2023-09-11 13:29:26 MSK 
********** QA ADVISORY **********

CVE-2021-20178 CVE-2021-20180 CVE-2021-20191 закрыты обновлением до 2.9.27

CVE-2022-3697 пока остается не закрытой, патча для ветки 2.9 нет, уязвимость касается модулей amazon.aws.


https://abf.rosalinux.ru/build_lists/4682582 x86_64
https://abf.rosalinux.ru/build_lists/4682583 aarch64
https://abf.rosalinux.ru/build_lists/4682581 i686
https://abf.rosalinux.ru/build_lists/4682585 e2kv4
https://abf.rosalinux.ru/build_lists/4682584 riscv64
Comment 2 Dmitry Postnikov 2023-09-12 09:16:52 MSK 
***************************
The update sent to testings
Comment 3 Vladimir Potapov 2023-09-19 06:37:26 MSK 
ansible-2.9.27-1
https://abf.rosalinux.ru/build_lists/4682582 x86_64
https://abf.rosalinux.ru/build_lists/4682583 aarch64
https://abf.rosalinux.ru/build_lists/4682581 i686
https://abf.rosalinux.ru/build_lists/4682585 e2kv4
https://abf.rosalinux.ru/build_lists/4682584 riscv64
****************************** Advisory **************************
CVE-2021-20178 CVE-2021-20180 CVE-2021-20191 закрыты обновлением до 2.9.27
******************************************************************
QA Verified
Comment 4 Yury 2023-10-31 14:04:35 MSK 
secteam_verified