[SECURITY] [DLA 3695-1] ansible security update

Debian LTS Advisory DLA-3695-1 [email protected]
https://www.debian.org/lts/security/ Bastien Roucariès
December 28, 2023 https://wiki.debian.org/LTS

Package : ansible
Version : 2.7.7+dfsg-1+deb10u2
CVE ID : CVE-2019-10206 CVE-2021-3447 CVE-2021-3583 CVE-2021-3620
CVE-2021-20178 CVE-2021-20191 CVE-2022-3697 CVE-2023-5115
Debian Bug : 1053693

Ansible a configuration management, deployment, and task execution system
was affected by multiple vulnerabilities.

CVE-2019-10206

Fix a regression in test suite of CVE-2019-10206.

CVE-2021-3447

A flaw was found in several
ansible modules, where parameters containing credentials,
such as secrets, were being logged in plain-text on
managed nodes, as well as being made visible on the
controller node when run in verbose mode. These parameters
were not protected by the no_log feature. An attacker can
take advantage of this information to steal those credentials,
provided when they have access to the log files
containing them. The highest threat from this vulnerability
is to data confidentiality

CVE-2021-3583

A flaw was found in Ansible, where
a user's controller is vulnerable to template injection.
This issue can occur through facts used in the template
if the user is trying to put templates in multi-line YAML
strings and the facts being handled do not routinely
include special template characters. This flaw allows
attackers to perform command injection, which discloses
sensitive information. The highest threat from this
vulnerability is to confidentiality and integrity.

CVE-2021-3620

A flaw was found in Ansible Engine's
ansible-connection module, where sensitive information
such as the Ansible user credentials is disclosed by
default in the traceback error message. The highest
threat from this vulnerability is to confidentiality.

CVE-2021-20178

A flaw was found in ansible module
snmp_fact where credentials are disclosed in the console log by
default and not protected by the security feature
This flaw allows an attacker to steal privkey and authkey
credentials. The highest threat from this vulnerability
is to confidentiality.

CVE-2021-20191

A flaw was found in ansible. Credentials,
such as secrets, are being disclosed in console log by default
and not protected by no_log feature when using Cisco nxos moduel.
An attacker can take advantage of this information to steal those
credentials. The highest threat from this vulnerability is
to data confidentiality.

CVE-2022-3697

A flaw was found in Ansible in the amazon.aws
collection when using the tower_callback parameter from the
amazon.aws.ec2_instance module. This flaw allows an attacker
to take advantage of this issue as the module is handling the
parameter insecurely, leading to the password leaking in the logs.

CVE-2023-5115

An absolute path traversal attack existed
in the Ansible automation platform. This flaw allows an
attacker to craft a malicious Ansible role and make the
victim execute the role. A symlink can be used to
overwrite a file outside of the extraction path.

For Debian 10 buster, these problems have been fixed in version
2.7.7+dfsg-1+deb10u2.

We recommend that you upgrade your ansible packages.

For the detailed security status of ansible please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ansible

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS