- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3695-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien Roucariès
December 28, 2023                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : ansible
Version        : 2.7.7+dfsg-1+deb10u2
CVE ID         : CVE-2019-10206 CVE-2021-3447 CVE-2021-3583 CVE-2021-3620 
                 CVE-2021-20178 CVE-2021-20191 CVE-2022-3697 CVE-2023-5115
Debian Bug     : 1053693

Ansible a configuration management, deployment, and task execution system
was affected by multiple vulnerabilities.

CVE-2019-10206

    Fix a regression in test suite of CVE-2019-10206.

CVE-2021-3447

    A flaw was found in several
    ansible modules, where parameters containing credentials,
    such as secrets, were being logged in plain-text on
    managed nodes, as well as being made visible on the
    controller node when run in verbose mode. These parameters
    were not protected by the no_log feature. An attacker can
    take advantage of this information to steal those credentials,
    provided when they have access to the log files
    containing them. The highest threat from this vulnerability
    is to data confidentiality

CVE-2021-3583

    A flaw was found in Ansible, where
    a user's controller is vulnerable to template injection.
    This issue can occur through facts used in the template
    if the user is trying to put templates in multi-line YAML
    strings and the facts being handled do not routinely
    include special template characters. This flaw allows
    attackers to perform command injection, which discloses
    sensitive information. The highest threat from this
    vulnerability is to confidentiality and integrity.

CVE-2021-3620

    A flaw was found in Ansible Engine's
    ansible-connection module, where sensitive information
    such as the Ansible user credentials is disclosed by
    default in the traceback error message. The highest
    threat from this vulnerability is to confidentiality.

CVE-2021-20178

    A flaw was found in ansible module
    snmp_fact where credentials are disclosed in the console log by
    default and not protected by the security feature
    This flaw allows an attacker to steal privkey and authkey
    credentials. The highest threat from this vulnerability
    is to confidentiality.

CVE-2021-20191

    A flaw was found in ansible. Credentials,
    such as secrets, are being disclosed in console log by default
    and not protected by no_log feature when using Cisco nxos moduel.
    An attacker can take advantage of this information to steal those
    credentials. The highest threat from this vulnerability is
    to data confidentiality.

CVE-2022-3697

    A flaw was found in Ansible in the amazon.aws
    collection when using the tower_callback parameter from the
    amazon.aws.ec2_instance module. This flaw allows an attacker
    to take advantage of this issue as the module is handling the
    parameter insecurely, leading to the password leaking in the logs.

CVE-2023-5115

    An absolute path traversal attack existed
    in the Ansible automation platform. This flaw allows an
    attacker to craft a malicious Ansible role and make the
    victim execute the role. A symlink can be used to
    overwrite a file outside of the extraction path.

For Debian 10 buster, these problems have been fixed in version
2.7.7+dfsg-1+deb10u2.

We recommend that you upgrade your ansible packages.

For the detailed security status of ansible please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/ansible

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-3695-1: ansible security update

December 28, 2023
Ansible a configuration management, deployment, and task execution system was affected by multiple vulnerabilities

Summary

CVE-2019-10206

Fix a regression in test suite of CVE-2019-10206.

CVE-2021-3447

A flaw was found in several
ansible modules, where parameters containing credentials,
such as secrets, were being logged in plain-text on
managed nodes, as well as being made visible on the
controller node when run in verbose mode. These parameters
were not protected by the no_log feature. An attacker can
take advantage of this information to steal those credentials,
provided when they have access to the log files
containing them. The highest threat from this vulnerability
is to data confidentiality

CVE-2021-3583

A flaw was found in Ansible, where
a user's controller is vulnerable to template injection.
This issue can occur through facts used in the template
if the user is trying to put templates in multi-line YAML
strings and the facts being handled do not routinely
include special template characters. This flaw allows
attackers to perform command injection, which discloses
sensitive information. The highest threat from this
vulnerability is to confidentiality and integrity.

CVE-2021-3620

A flaw was found in Ansible Engine's
ansible-connection module, where sensitive information
such as the Ansible user credentials is disclosed by
default in the traceback error message. The highest
threat from this vulnerability is to confidentiality.

CVE-2021-20178

A flaw was found in ansible module
snmp_fact where credentials are disclosed in the console log by
default and not protected by the security feature
This flaw allows an attacker to steal privkey and authkey
credentials. The highest threat from this vulnerability
is to confidentiality.

CVE-2021-20191

A flaw was found in ansible. Credentials,
such as secrets, are being disclosed in console log by default
and not protected by no_log feature when using Cisco nxos moduel.
An attacker can take advantage of this information to steal those
credentials. The highest threat from this vulnerability is
to data confidentiality.

CVE-2022-3697

A flaw was found in Ansible in the amazon.aws
collection when using the tower_callback parameter from the
amazon.aws.ec2_instance module. This flaw allows an attacker
to take advantage of this issue as the module is handling the
parameter insecurely, leading to the password leaking in the logs.

CVE-2023-5115

An absolute path traversal attack existed
in the Ansible automation platform. This flaw allows an
attacker to craft a malicious Ansible role and make the
victim execute the role. A symlink can be used to
overwrite a file outside of the extraction path.

For Debian 10 buster, these problems have been fixed in version
2.7.7+dfsg-1+deb10u2.

We recommend that you upgrade your ansible packages.

For the detailed security status of ansible please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/ansible

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Severity
Package : ansible
Version : 2.7.7+dfsg-1+deb10u2
CVE ID : CVE-2019-10206 CVE-2021-3447 CVE-2021-3583 CVE-2021-3620
Debian Bug : 1053693

Related News

News

Powered By

Footer Logo

Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.

Powered By

Footer Logo