Vulnerabilities > CVE-2019-14864 - Improper Output Neutralization for Logs vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Web Logs Tampering Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
- Log Injection-Tampering-Forging This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing him to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.
Nessus
NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-2_0-0207_ANSIBLE.NASL description An update of the ansible package has been released. last seen 2020-03-17 modified 2020-02-13 plugin id 133686 published 2020-02-13 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133686 title Photon OS 2.0: Ansible PHSA-2020-2.0-0207 code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory PHSA-2020-2.0-0207. The text # itself is copyright (C) VMware, Inc. include('compat.inc'); if (description) { script_id(133686); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/13"); script_cve_id("CVE-2019-14864"); script_name(english:"Photon OS 2.0: Ansible PHSA-2020-2.0-0207"); script_set_attribute(attribute:"synopsis", value: "The remote PhotonOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "An update of the ansible package has been released."); script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-2-207.md"); script_set_attribute(attribute:"solution", value: "Update the affected Linux packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-14864"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/02"); script_set_attribute(attribute:"patch_publication_date", value:"2020/02/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:ansible"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:2.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"PhotonOS Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/PhotonOS/release"); if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS"); if (release !~ "^VMware Photon (?:Linux|OS) 2\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 2.0"); if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu); flag = 0; if (rpm_check(release:"PhotonOS-2.0", reference:"ansible-2.7.9-3.ph2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ansible"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-3926.NASL description An update for Ansible is now available for Ansible Engine 2.8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. Security Fix(es) : Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs (CVE-2019-14864) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. The following packages have been upgraded to a newer upstream version: ansible (2.8.7) Bug Fix(es) : See: https://github.com/ansible/ansible/blob/v2.8.7/changelogs/CHANGELOG-v2 .8.rst for details on bug fixes in this release. last seen 2020-06-01 modified 2020-06-02 plugin id 131211 published 2019-11-22 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131211 title RHEL 7 / 8 : ansible (RHSA-2019:3926) NASL family SuSE Local Security Checks NASL id OPENSUSE-2020-513.NASL description This update for ansible to version 2.9.6 fixes the following issues : Security issues fixed : - CVE-2019-14904: Fixed a vulnerability in solaris_zone module via crafted solaris zone (boo#1157968). - CVE-2019-14905: Fixed an issue where malicious code could craft filename in nxos_file_copy module (boo#1157969). - CVE-2019-14864: Fixed Splunk and Sumologic callback plugins leak sensitive data in logs (boo#1154830). - CVE-2019-14846: Fixed secrets disclosure on logs due to display is hardcoded to DEBUG level (boo#1153452) - CVE-2019-14856: Fixed insufficient fix for CVE-2019-10206 (boo#1154232) - CVE-2019-14858: Fixed data in the sub parameter fields that will not be masked and will be displayed when run with increased verbosity (boo#1154231) - CVE-2019-10206: ansible-playbook -k and ansible cli tools prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them. (boo#1142690) - CVE-2019-10217: Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks. (boo#1144453) last seen 2020-04-17 modified 2020-04-14 plugin id 135454 published 2020-04-14 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135454 title openSUSE Security Update : ansible (openSUSE-2020-513) NASL family CGI abuses NASL id ANSIBLE_TOWER_3_6_2.NASL description The version of Ansible Tower running on the remote web server is 3.5.x prior to 3.5.4 or 3.6.x prior to 3.6.2. It is, therefore, affected by multiple vulnerabilities. - An information disclosure vulnerability exists in the Sumologic and Splunk callback plugins due to Ansible not respecting the last seen 2020-05-31 modified 2019-12-20 plugin id 132319 published 2019-12-20 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132319 title Ansible Tower 3.5.x < 3.5.4 / 3.6.x < 3.6.2 Multiple Vulnerabilities NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-3927.NASL description An update for Ansible is now available for Ansible Engine 2.9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. Security Fix(es) : Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs (CVE-2019-14864) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. The following packages have been upgraded to a newer upstream version: ansible (2.9.1) Bug Fix(es) : See: https://github.com/ansible/ansible/blob/v2.9.1/changelogs/CHANGELOG-v2 .9.rst for details on bug fixes in this release. last seen 2020-06-01 modified 2020-06-02 plugin id 131212 published 2019-11-22 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131212 title RHEL 7 / 8 : ansible (RHSA-2019:3927) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-3928.NASL description An update for Ansible is now available for Ansible Engine 2.9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. Security Fix(es) : Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs (CVE-2019-14864) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. The following packages have been upgraded to a newer upstream version: ansible (2.9.1) Bug Fix(es) : See: https://github.com/ansible/ansible/blob/v2.9.1/changelogs/CHANGELOG-v2 .9.rst for details on bug fixes in this release. last seen 2020-06-01 modified 2020-06-02 plugin id 131213 published 2019-11-22 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131213 title RHEL 7 / 8 : ansible (RHSA-2019:3928) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-3925.NASL description An update for Ansible is now available for Ansible Engine 2.7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. Security Fix(es) : Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs (CVE-2019-14864) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. The following packages have been upgraded to a newer upstream version: ansible (2.7.15) Bug Fix(es) : See: https://github.com/ansible/ansible/blob/v2.7.15/changelogs/CHANGELOG-v 2.7.rst for details on bug fixes in this release. last seen 2020-06-01 modified 2020-06-02 plugin id 131210 published 2019-11-22 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131210 title RHEL 7 : ansible (RHSA-2019:3925) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-3_0-0058_ANSIBLE.NASL description An update of the ansible package has been released. last seen 2020-03-17 modified 2020-02-20 plugin id 133804 published 2020-02-20 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133804 title Photon OS 3.0: Ansible PHSA-2020-3.0-0058
Redhat
| rpms |
|
References
- https://github.com/ansible/ansible/pull/63527
- https://github.com/ansible/ansible/issues/63522
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
- https://www.debian.org/security/2021/dsa-4950