[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 3695-1] ansible security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3695-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien Roucariès
December 28, 2023                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : ansible
Version        : 2.7.7+dfsg-1+deb10u2
CVE ID         : CVE-2019-10206 CVE-2021-3447 CVE-2021-3583 CVE-2021-3620 
                 CVE-2021-20178 CVE-2021-20191 CVE-2022-3697 CVE-2023-5115
Debian Bug     : 1053693

Ansible a configuration management, deployment, and task execution system
was affected by multiple vulnerabilities.

CVE-2019-10206

    Fix a regression in test suite of CVE-2019-10206.

CVE-2021-3447

    A flaw was found in several
    ansible modules, where parameters containing credentials,
    such as secrets, were being logged in plain-text on
    managed nodes, as well as being made visible on the
    controller node when run in verbose mode. These parameters
    were not protected by the no_log feature. An attacker can
    take advantage of this information to steal those credentials,
    provided when they have access to the log files
    containing them. The highest threat from this vulnerability
    is to data confidentiality

CVE-2021-3583

    A flaw was found in Ansible, where
    a user's controller is vulnerable to template injection.
    This issue can occur through facts used in the template
    if the user is trying to put templates in multi-line YAML
    strings and the facts being handled do not routinely
    include special template characters. This flaw allows
    attackers to perform command injection, which discloses
    sensitive information. The highest threat from this
    vulnerability is to confidentiality and integrity.

CVE-2021-3620

    A flaw was found in Ansible Engine's
    ansible-connection module, where sensitive information
    such as the Ansible user credentials is disclosed by
    default in the traceback error message. The highest
    threat from this vulnerability is to confidentiality.

CVE-2021-20178

    A flaw was found in ansible module
    snmp_fact where credentials are disclosed in the console log by
    default and not protected by the security feature
    This flaw allows an attacker to steal privkey and authkey
    credentials. The highest threat from this vulnerability
    is to confidentiality.

CVE-2021-20191

    A flaw was found in ansible. Credentials,
    such as secrets, are being disclosed in console log by default
    and not protected by no_log feature when using Cisco nxos moduel.
    An attacker can take advantage of this information to steal those
    credentials. The highest threat from this vulnerability is
    to data confidentiality.

CVE-2022-3697

    A flaw was found in Ansible in the amazon.aws
    collection when using the tower_callback parameter from the
    amazon.aws.ec2_instance module. This flaw allows an attacker
    to take advantage of this issue as the module is handling the
    parameter insecurely, leading to the password leaking in the logs.

CVE-2023-5115

    An absolute path traversal attack existed
    in the Ansible automation platform. This flaw allows an
    attacker to craft a malicious Ansible role and make the
    victim execute the role. A symlink can be used to
    overwrite a file outside of the extraction path.

For Debian 10 buster, these problems have been fixed in version
2.7.7+dfsg-1+deb10u2.

We recommend that you upgrade your ansible packages.

For the detailed security status of ansible please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ansible

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmWNs+EACgkQADoaLapB
CF/ijBAAgOM6XJYRxpwzx/KQxteve1qu/VrkCdXWaJt25PhnqY0E6R4Cq+vEd4qS
PzUNfeGkTFkmYwilPFjhdBjIl8dVOiH6GRRHwx44UpfVEEBbKUIvSahqJdZsB6+Q
IsCnDv8eltDiv2FGR834SXjUD69MsjaS9ba854+c/LG5wuWaj4ektutuGQX8m+RU
t3mJX8OP7Tliri/KlVRTq6HPeKArJY+0ph7dOtPPgjOD1Kt4HE7XkTrTELYxlFfi
6/KeJoEsTe/har3il1GxFXT/BUHt3n3kfq6nBjh3E3aupbtwUz1fCFXXZq3XKHi1
QdDaXc06QlCfgI+AgJwes2/5m91msOZ2e5ikexiHOpeUBsRDjcFJN4MjWRM2eSb3
8H/9wyf3/oJEbkggAg9Rrt6bHfhBg6CIOOVOeSJAPcnueHo9x5cLd09ke7xVEvp3
e3EmUuR4nWC/6z40ykwqVedJV6j/lVcBsHGOVItIuYZKh5KLOl0K8o7dJIr1fYFO
+JBao9fKgQ9LbLWLwokCPtrN9zGWUEijQKC3O9pc9CvFcAky+yBONpA3S+VWBoOi
BHL9pfW4oRq7A7k23uqv5quIrLjg9Li9sRkrixW+pBTDGhoQKfq361bk5E2/V7xm
TStAGqI9JF/ZIH+byOcE4uFF7pXuMDuAoLKoOMdh5OvZ+AZtylU=
=pObr
-----END PGP SIGNATURE-----
Reply to: