Vulnerabilities > CVE-2019-14864 - Improper Output Neutralization for Logs vulnerability in multiple products

047910
CVSS 4.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
redhat
debian
opensuse
CWE-117
nessus

Summary

Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Web Logs Tampering
    Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
  • Log Injection-Tampering-Forging
    This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing him to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.

Nessus

  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-2_0-0207_ANSIBLE.NASL
    descriptionAn update of the ansible package has been released.
    last seen2020-03-17
    modified2020-02-13
    plugin id133686
    published2020-02-13
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133686
    titlePhoton OS 2.0: Ansible PHSA-2020-2.0-0207
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    # The descriptive text and package checks in this plugin were
    # extracted from VMware Security Advisory PHSA-2020-2.0-0207. The text
    # itself is copyright (C) VMware, Inc.
    
    
    include('compat.inc');
    
    if (description)
    {
      script_id(133686);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/13");
    
      script_cve_id("CVE-2019-14864");
    
      script_name(english:"Photon OS 2.0: Ansible PHSA-2020-2.0-0207");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote PhotonOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "An update of the ansible package has been released.");
      script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-2-207.md");
      script_set_attribute(attribute:"solution", value:
    "Update the affected Linux packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-14864");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/02/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/13");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:ansible");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:2.0");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"PhotonOS Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/PhotonOS/release");
    if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
    if (release !~ "^VMware Photon (?:Linux|OS) 2\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 2.0");
    
    if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);
    
    flag = 0;
    
    if (rpm_check(release:"PhotonOS-2.0", reference:"ansible-2.7.9-3.ph2")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ansible");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-3926.NASL
    descriptionAn update for Ansible is now available for Ansible Engine 2.8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. Security Fix(es) : Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs (CVE-2019-14864) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. The following packages have been upgraded to a newer upstream version: ansible (2.8.7) Bug Fix(es) : See: https://github.com/ansible/ansible/blob/v2.8.7/changelogs/CHANGELOG-v2 .8.rst for details on bug fixes in this release.
    last seen2020-06-01
    modified2020-06-02
    plugin id131211
    published2019-11-22
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131211
    titleRHEL 7 / 8 : ansible (RHSA-2019:3926)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2020-513.NASL
    descriptionThis update for ansible to version 2.9.6 fixes the following issues : Security issues fixed : - CVE-2019-14904: Fixed a vulnerability in solaris_zone module via crafted solaris zone (boo#1157968). - CVE-2019-14905: Fixed an issue where malicious code could craft filename in nxos_file_copy module (boo#1157969). - CVE-2019-14864: Fixed Splunk and Sumologic callback plugins leak sensitive data in logs (boo#1154830). - CVE-2019-14846: Fixed secrets disclosure on logs due to display is hardcoded to DEBUG level (boo#1153452) - CVE-2019-14856: Fixed insufficient fix for CVE-2019-10206 (boo#1154232) - CVE-2019-14858: Fixed data in the sub parameter fields that will not be masked and will be displayed when run with increased verbosity (boo#1154231) - CVE-2019-10206: ansible-playbook -k and ansible cli tools prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them. (boo#1142690) - CVE-2019-10217: Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks. (boo#1144453)
    last seen2020-04-17
    modified2020-04-14
    plugin id135454
    published2020-04-14
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135454
    titleopenSUSE Security Update : ansible (openSUSE-2020-513)
  • NASL familyCGI abuses
    NASL idANSIBLE_TOWER_3_6_2.NASL
    descriptionThe version of Ansible Tower running on the remote web server is 3.5.x prior to 3.5.4 or 3.6.x prior to 3.6.2. It is, therefore, affected by multiple vulnerabilities. - An information disclosure vulnerability exists in the Sumologic and Splunk callback plugins due to Ansible not respecting the
    last seen2020-05-31
    modified2019-12-20
    plugin id132319
    published2019-12-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132319
    titleAnsible Tower 3.5.x < 3.5.4 / 3.6.x < 3.6.2 Multiple Vulnerabilities
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-3927.NASL
    descriptionAn update for Ansible is now available for Ansible Engine 2.9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. Security Fix(es) : Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs (CVE-2019-14864) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. The following packages have been upgraded to a newer upstream version: ansible (2.9.1) Bug Fix(es) : See: https://github.com/ansible/ansible/blob/v2.9.1/changelogs/CHANGELOG-v2 .9.rst for details on bug fixes in this release.
    last seen2020-06-01
    modified2020-06-02
    plugin id131212
    published2019-11-22
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131212
    titleRHEL 7 / 8 : ansible (RHSA-2019:3927)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-3928.NASL
    descriptionAn update for Ansible is now available for Ansible Engine 2.9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. Security Fix(es) : Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs (CVE-2019-14864) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. The following packages have been upgraded to a newer upstream version: ansible (2.9.1) Bug Fix(es) : See: https://github.com/ansible/ansible/blob/v2.9.1/changelogs/CHANGELOG-v2 .9.rst for details on bug fixes in this release.
    last seen2020-06-01
    modified2020-06-02
    plugin id131213
    published2019-11-22
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131213
    titleRHEL 7 / 8 : ansible (RHSA-2019:3928)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-3925.NASL
    descriptionAn update for Ansible is now available for Ansible Engine 2.7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. Security Fix(es) : Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs (CVE-2019-14864) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. The following packages have been upgraded to a newer upstream version: ansible (2.7.15) Bug Fix(es) : See: https://github.com/ansible/ansible/blob/v2.7.15/changelogs/CHANGELOG-v 2.7.rst for details on bug fixes in this release.
    last seen2020-06-01
    modified2020-06-02
    plugin id131210
    published2019-11-22
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131210
    titleRHEL 7 : ansible (RHSA-2019:3925)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-3_0-0058_ANSIBLE.NASL
    descriptionAn update of the ansible package has been released.
    last seen2020-03-17
    modified2020-02-20
    plugin id133804
    published2020-02-20
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133804
    titlePhoton OS 3.0: Ansible PHSA-2020-3.0-0058

Redhat

rpms
  • ansible-0:2.7.15-1.el7ae
  • ansible-0:2.8.7-1.el7ae
  • ansible-0:2.8.7-1.el8ae
  • ansible-0:2.9.1-1.el7
  • ansible-0:2.9.1-1.el8
  • ansible-test-0:2.9.1-1.el7
  • ansible-test-0:2.9.1-1.el8
  • ansible-0:2.9.1-1.el7
  • ansible-0:2.9.1-1.el8
  • ansible-test-0:2.9.1-1.el7
  • ansible-test-0:2.9.1-1.el8