Operating System:

[Debian]

Published:

02 January 2024

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2024.0004
                          ansible security update
                              2 January 2024

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ansible
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2023-5115 CVE-2022-3697 CVE-2021-20191
                   CVE-2021-20178 CVE-2021-3620 CVE-2021-3583
                   CVE-2021-3447 CVE-2019-10206 

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html

Comment: CVSS (Max):  7.5 CVE-2022-3697 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
         CVSS Source: NIST
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-3695-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien Roucariès
December 28, 2023                             https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : ansible
Version        : 2.7.7+dfsg-1+deb10u2
CVE ID         : CVE-2019-10206 CVE-2021-3447 CVE-2021-3583 CVE-2021-3620 
                 CVE-2021-20178 CVE-2021-20191 CVE-2022-3697 CVE-2023-5115
Debian Bug     : 1053693

Ansible a configuration management, deployment, and task execution system
was affected by multiple vulnerabilities.

CVE-2019-10206

    Fix a regression in test suite of CVE-2019-10206.

CVE-2021-3447

    A flaw was found in several
    ansible modules, where parameters containing credentials,
    such as secrets, were being logged in plain-text on
    managed nodes, as well as being made visible on the
    controller node when run in verbose mode. These parameters
    were not protected by the no_log feature. An attacker can
    take advantage of this information to steal those credentials,
    provided when they have access to the log files
    containing them. The highest threat from this vulnerability
    is to data confidentiality

CVE-2021-3583

    A flaw was found in Ansible, where
    a user's controller is vulnerable to template injection.
    This issue can occur through facts used in the template
    if the user is trying to put templates in multi-line YAML
    strings and the facts being handled do not routinely
    include special template characters. This flaw allows
    attackers to perform command injection, which discloses
    sensitive information. The highest threat from this
    vulnerability is to confidentiality and integrity.

CVE-2021-3620

    A flaw was found in Ansible Engine's
    ansible-connection module, where sensitive information
    such as the Ansible user credentials is disclosed by
    default in the traceback error message. The highest
    threat from this vulnerability is to confidentiality.

CVE-2021-20178

    A flaw was found in ansible module
    snmp_fact where credentials are disclosed in the console log by
    default and not protected by the security feature
    This flaw allows an attacker to steal privkey and authkey
    credentials. The highest threat from this vulnerability
    is to confidentiality.

CVE-2021-20191

    A flaw was found in ansible. Credentials,
    such as secrets, are being disclosed in console log by default
    and not protected by no_log feature when using Cisco nxos moduel.
    An attacker can take advantage of this information to steal those
    credentials. The highest threat from this vulnerability is
    to data confidentiality.

CVE-2022-3697

    A flaw was found in Ansible in the amazon.aws
    collection when using the tower_callback parameter from the
    amazon.aws.ec2_instance module. This flaw allows an attacker
    to take advantage of this issue as the module is handling the
    parameter insecurely, leading to the password leaking in the logs.

CVE-2023-5115

    An absolute path traversal attack existed
    in the Ansible automation platform. This flaw allows an
    attacker to craft a malicious Ansible role and make the
    victim execute the role. A symlink can be used to
    overwrite a file outside of the extraction path.

For Debian 10 buster, these problems have been fixed in version
2.7.7+dfsg-1+deb10u2.

We recommend that you upgrade your ansible packages.

For the detailed security status of ansible please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ansible

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmWNs+EACgkQADoaLapB
CF/ijBAAgOM6XJYRxpwzx/KQxteve1qu/VrkCdXWaJt25PhnqY0E6R4Cq+vEd4qS
PzUNfeGkTFkmYwilPFjhdBjIl8dVOiH6GRRHwx44UpfVEEBbKUIvSahqJdZsB6+Q
IsCnDv8eltDiv2FGR834SXjUD69MsjaS9ba854+c/LG5wuWaj4ektutuGQX8m+RU
t3mJX8OP7Tliri/KlVRTq6HPeKArJY+0ph7dOtPPgjOD1Kt4HE7XkTrTELYxlFfi
6/KeJoEsTe/har3il1GxFXT/BUHt3n3kfq6nBjh3E3aupbtwUz1fCFXXZq3XKHi1
QdDaXc06QlCfgI+AgJwes2/5m91msOZ2e5ikexiHOpeUBsRDjcFJN4MjWRM2eSb3
8H/9wyf3/oJEbkggAg9Rrt6bHfhBg6CIOOVOeSJAPcnueHo9x5cLd09ke7xVEvp3
e3EmUuR4nWC/6z40ykwqVedJV6j/lVcBsHGOVItIuYZKh5KLOl0K8o7dJIr1fYFO
+JBao9fKgQ9LbLWLwokCPtrN9zGWUEijQKC3O9pc9CvFcAky+yBONpA3S+VWBoOi
BHL9pfW4oRq7A7k23uqv5quIrLjg9Li9sRkrixW+pBTDGhoQKfq361bk5E2/V7xm
TStAGqI9JF/ZIH+byOcE4uFF7pXuMDuAoLKoOMdh5OvZ+AZtylU=
=pObr
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZZNM3MkNZI30y1K9AQhKMA//V3XDVW3lHDw1z8d/h5sIdesV0EEaZpO1
7sgVMsJzvWFxDrfj0SEIfVTtYP0EjuDeM1u0waoS9LMU28aJF7haoqbE8FEv0kgC
ZtCOUs+fKemHsyX9AHX1HnoWTiSQy6pSrN48MNB/Age3gKet67oLaZK+ufMwQakN
zJnHLD1B8SaUY79g7q6y6Yb52ASIwH+4KjUztKnHb7ahmHwzEzwc7yzaJ9KM2+mu
HmrwdZ7tntnVtqNuMfeSh3qQ4XNe2b2Om2yl3favbigHLhvcXgAMNUkmmZpeSHRG
9ZxNojtovIV50iy0DNak7y07aWQyGtiU0474OmuBtNzZzYM7FwWVdjd2xoz5hzuG
yXvSzcKx43/P2ispp8ZZod9MfnwcZmmFhicYSkts0sTz+2+1gXWBWtrMxJ7KyNWo
P8JgKS9vxSpAUooJWO64kYC07+vpYwZhQ1Z/O+C9TF/WXJ2EzrY+yvowOKLj2deN
AibQTLOreKs4ExmDZCl3lXTV/3s57OEq3L+srQYQQ9yLioALEas480FMx1oKc1XM
11jzVZtvoP9Tz+BMfkFv5JzvFZFKJ1e+jJtuGWlSPNzszqKAvFn2htWSx4OaRog+
prYeh1H53j5NaNkuRpa0N3Qc+kztuMvmBuarYG5OHwHhiXY5hmaFDGCDI87nTZ/0
qkwCgIt598Y=
=jkhU
-----END PGP SIGNATURE-----