Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2024.0004 ansible security update 2 January 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ansible Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2023-5115 CVE-2022-3697 CVE-2021-20191 CVE-2021-20178 CVE-2021-3620 CVE-2021-3583 CVE-2021-3447 CVE-2019-10206 Original Bulletin: https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html Comment: CVSS (Max): 7.5 CVE-2022-3697 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVSS Source: NIST Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3695-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Bastien Roucariès December 28, 2023 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : ansible Version : 2.7.7+dfsg-1+deb10u2 CVE ID : CVE-2019-10206 CVE-2021-3447 CVE-2021-3583 CVE-2021-3620 CVE-2021-20178 CVE-2021-20191 CVE-2022-3697 CVE-2023-5115 Debian Bug : 1053693 Ansible a configuration management, deployment, and task execution system was affected by multiple vulnerabilities. CVE-2019-10206 Fix a regression in test suite of CVE-2019-10206. CVE-2021-3447 A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided when they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality CVE-2021-3583 A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity. CVE-2021-3620 A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality. CVE-2021-20178 A flaw was found in ansible module snmp_fact where credentials are disclosed in the console log by default and not protected by the security feature This flaw allows an attacker to steal privkey and authkey credentials. The highest threat from this vulnerability is to confidentiality. CVE-2021-20191 A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using Cisco nxos moduel. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. CVE-2022-3697 A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs. CVE-2023-5115 An absolute path traversal attack existed in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path. For Debian 10 buster, these problems have been fixed in version 2.7.7+dfsg-1+deb10u2. We recommend that you upgrade your ansible packages. For the detailed security status of ansible please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ansible Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmWNs+EACgkQADoaLapB CF/ijBAAgOM6XJYRxpwzx/KQxteve1qu/VrkCdXWaJt25PhnqY0E6R4Cq+vEd4qS PzUNfeGkTFkmYwilPFjhdBjIl8dVOiH6GRRHwx44UpfVEEBbKUIvSahqJdZsB6+Q IsCnDv8eltDiv2FGR834SXjUD69MsjaS9ba854+c/LG5wuWaj4ektutuGQX8m+RU t3mJX8OP7Tliri/KlVRTq6HPeKArJY+0ph7dOtPPgjOD1Kt4HE7XkTrTELYxlFfi 6/KeJoEsTe/har3il1GxFXT/BUHt3n3kfq6nBjh3E3aupbtwUz1fCFXXZq3XKHi1 QdDaXc06QlCfgI+AgJwes2/5m91msOZ2e5ikexiHOpeUBsRDjcFJN4MjWRM2eSb3 8H/9wyf3/oJEbkggAg9Rrt6bHfhBg6CIOOVOeSJAPcnueHo9x5cLd09ke7xVEvp3 e3EmUuR4nWC/6z40ykwqVedJV6j/lVcBsHGOVItIuYZKh5KLOl0K8o7dJIr1fYFO +JBao9fKgQ9LbLWLwokCPtrN9zGWUEijQKC3O9pc9CvFcAky+yBONpA3S+VWBoOi BHL9pfW4oRq7A7k23uqv5quIrLjg9Li9sRkrixW+pBTDGhoQKfq361bk5E2/V7xm TStAGqI9JF/ZIH+byOcE4uFF7pXuMDuAoLKoOMdh5OvZ+AZtylU= =pObr - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZZNM3MkNZI30y1K9AQhKMA//V3XDVW3lHDw1z8d/h5sIdesV0EEaZpO1 7sgVMsJzvWFxDrfj0SEIfVTtYP0EjuDeM1u0waoS9LMU28aJF7haoqbE8FEv0kgC ZtCOUs+fKemHsyX9AHX1HnoWTiSQy6pSrN48MNB/Age3gKet67oLaZK+ufMwQakN zJnHLD1B8SaUY79g7q6y6Yb52ASIwH+4KjUztKnHb7ahmHwzEzwc7yzaJ9KM2+mu HmrwdZ7tntnVtqNuMfeSh3qQ4XNe2b2Om2yl3favbigHLhvcXgAMNUkmmZpeSHRG 9ZxNojtovIV50iy0DNak7y07aWQyGtiU0474OmuBtNzZzYM7FwWVdjd2xoz5hzuG yXvSzcKx43/P2ispp8ZZod9MfnwcZmmFhicYSkts0sTz+2+1gXWBWtrMxJ7KyNWo P8JgKS9vxSpAUooJWO64kYC07+vpYwZhQ1Z/O+C9TF/WXJ2EzrY+yvowOKLj2deN AibQTLOreKs4ExmDZCl3lXTV/3s57OEq3L+srQYQQ9yLioALEas480FMx1oKc1XM 11jzVZtvoP9Tz+BMfkFv5JzvFZFKJ1e+jJtuGWlSPNzszqKAvFn2htWSx4OaRog+ prYeh1H53j5NaNkuRpa0N3Qc+kztuMvmBuarYG5OHwHhiXY5hmaFDGCDI87nTZ/0 qkwCgIt598Y= =jkhU -----END PGP SIGNATURE-----