ANSIBLE SECURITY

Ansible by Red Hat is highly committed to the security of our open source projects (including Ansible and AWX), our commercial solutions (including Ansible Tower and the Red Hat Ansible Automation Platform), and our supporting infrastructure. Reports or security concerns can be reported by email to security@ansible.com and we will respond promptly.  We practice responsible disclosure and will update software promptly when we agree an update is required.

In conjunction with a report to us, we will gladly disclose the nature of problems reported, but request a reasonable amount of time to update our software before an announcement is made.  We may also need some time to evaluate the problem and explore details with you, depending on the nature of the report - and would like to agree on an date for release of the disclosure information that can coincide with a software update.

We'll also happily credit researchers in the announcement of vulnerabilities in our list announcements.

Security Disclosures

Ansible and Red Hat Ansible Engine

  • CVE-2021-20228 - Mask default and fallback values for `no_log` module options - resolved in 2.9.18

     

  • CVE-2021-20191 - Various modules missing `no_log` on sensitive module arguments - resolved in 2.9.18

     

  • CVE-2021-20180 - bitbucket_pipeline_variable - hide user sensitive information which are marked as `secured` from logging into the console (similar to CVE-2021-20191) - resolved in 2.9.18

     

  • CVE-2021-20178 - snmp_facts - hide user sensitive information such as ``privkey`` and ``authkey`` from logging into the console (similar to CVE-2021-20191) - resolved in 2.9.18

     

  • CVE-2020-1753 - kubectl connection plugin - now redacts kubectl_token and kubectl_password in console log (similar to CVE-2021-20191) - resolved in 2.9.14

     

  • CVE-2020-14365 - packages installed with the `dnf` module were previously not GPG-validated - resolved in 2.9.13

     

  • CVE-2020-14332 - copy - Redact the value of the no_log 'content' parameter in the result's invocation.module_args in check mode. - resolved in 2.9.12

     

  • CVE-2020-14330 - uri - Sanitize no_log values from any response keys that might be returned - resolved in 2.9.12

     

  • CVE-2020-1746 - ldap_attr, ldap_entry - The `params` option has been removed in ansible-base 2.10; setting `bind_pw` via `params` has been disallowed in earlier ansible versions. - resolved in 2.9.7

     

  • CVE-2020-1739 - subversion - password no longer provided via command-line arguments, instead taken from standard input. - resolved in 2.9.7

     

  • CVE-2020-1737 - win_unzip - paths in archive are now normalized to ensure extracted files do not escape from the target directory - resolved in 2.9.7

     

  • CVE-2020-1740 - vault - temporary vault file is now created with strict permissions and a race condition is eliminated - resolved in 2.9.7

     

  • CVE-2020-1733 - error if remote temporary directory already exists instead of continuing to use it - resolved in 2.9.7

     

  • CVE-2020-1735 - fetch action - avoid using slurp return data to set up destination directory on controller node - resolved in 2.9.7

     

  • CVE-2020-10691 - ansible-galaxy - error when install finds a tar with a file that will be extracted outside the collection install directory - resolved in 2.9.7

     

  • CVE-2019-14904 - solaris_zone - command injection via zone name - resolved in 2.9.3

     

  • CVE-2019-14905 - nxos_file_copy - command injection via `remote_file` parameter - resolved in 2.9.3

     

  • CVE-2019-14864 - splunk and sumologic callback plugins leak sensitive data in logs - resolved in 2.9.1

     

  • CVE-2019-14856 - password prompts in ansible-playbook and ansible CLI tools could expose passwords with special characters as they were not properly wrapped - resolved in 2.9.0

     

  • CVE-2019-14858 - properly hide parameters marked with ``no_log`` in suboptions when invalid parameters are passed to the module - resolved in 2.9.0

  • CVE-2019-10206 - avoid templating passwords from prompt - resolved in 2.9.0

 

AWX and Red Hat Ansible Tower

  • CVE-2021-20253 - Escape from job isolation - resolved in Tower 3.6.7, 3.7.5, 3.8.2, and AWX 17.1
  • CVE-2020-14327 - Server-side request forgery on credentials - resolved in Tower 3.7.2, 3.6.5, and AWX 14.0
  • CVE-2020-14328 - Server-side request forgery on webhooks - resolved in Tower 3.7.2, and AWX 14.0
  • CVE-2020-14329 - Sensitive data exposure on labels - resolved in Tower 3.7.2, and AWX 14.0
  • CVE-2020-14337 - Named URLs allow for testing the presence or absence of objects - resolved in Tower 3.7.2, and AWX 14.0
  • CVE-2020-10782 - Fixed rsyslog integration to not write world-readable configuration file - resolved in Tower 3.7.1 and AWX 13.0
  • CVE-2020-10709 - Fixed OAuth2 refresh tokens to properly respect custom expiration settings - resolved in Tower 3.5.6/3.6.4 and AWX 11.0
  • CVE-2020-10698 - Fixed an issue where users could subscribe to playbook output from other organizations via websockets - resolved in Tower 3.5.6/3.6.4 and AWX 11.0
  • CVE-2020-10697 - Fixed memcached listening on TCP when deployed in OpenShift - resolved in Tower 3.5.6/3.6.4 and AWX 11.0
  • CVE-2019-19340 - Removed the guest user from the optionally-configured RabbitMQ admin interface - resolved in Tower 3.5.4/3.6.2
  • CVE-2019-19341 - Fixed assorted issues with preserving permissions in the Ansible Tower backup playbook - resolved in Tower 3.5.4/3.6.2
  • CVE-2019-19342 - Fixed a partial password disclosure when special characters existed in the RabbitMQ password - resolved in Tower 3.5.4/3.6.2 and AWX 9.1.0
  • CVE-2019-14890 - Fixed accidental disclosure of Red Hat username and password in /api/v2/config - resolved in Tower 3.6.1
  • CVE-2019-3869 - Fixed an issue to no longer expose Tower service credentials to playbook runs via environment variables when running in OpenShift - resolved in Tower 3.3.5/3.4.3 and AWX 4.0.0
  • CVE-2018-16879 - Incorrect BROKER_URL setting could allow unauthorized AMQP access - resolved in Tower 3.3.3
  • CVE-2018-10884 - CSRF vulnerability - resolved in Tower 3.1.8/3.2.6 and AWX 1.0.7
  • CVE-2018-1104 - Command injection via Jinja2 variables in user-provided extra_vars - resolved in Tower 3.1.6/3.2.4
  • CVE-2018-1101 - Organization admins could modify users by adding them to their organization - resolved in Tower 3.1.6/3.2.4
  • CVE-2017-12148 - Specially crafted ad-hoc command could compromise Tower - resolved in Tower 3.0.4/3.1.5/3.2
  • CVE-2017-12148 - Potential compromise of Tower via injection of git hooks in SCM repository - resolved in Tower 3.0.4/3.1.5/3.2
  • CVE-2016-7070 - Insecure default PostgreSQL configuration - resolved in Tower 3.0.3
  • CVE-2015-1482 - Information leak via WebSockets - resolved in Tower 2.0.5
  • CVE-2015-1481 - Potential privelege escalation for organization admins - resolved in Tower 2.0.5 
  • CVE-2015-1368 - XSS vulnerability - resolved in Tower 2.0.5