USN-7330-1: Ansible vulnerabilities

Releases

• Ubuntu 20.04 LTS
• Ubuntu 18.04 ESM
• Ubuntu 16.04 ESM
• Ubuntu 14.04 ESM

Packages

• ansible - Configuration management, deployment, and task execution system

Details

It was discovered that Ansible did not properly verify certain fields of
X.509 certificates. An attacker could possibly use this issue to spoof
SSL servers if they were able to intercept network communications. This
issue only affected Ubuntu 14.04 LTS. (CVE-2015-3908)

Martin Carpenter discovered that certain connection plugins for Ansible
did not properly restrict users. An attacker with local access could
possibly use this issue to escape a restricted environment via symbolic
links misuse. This issue only affected Ubuntu 14.04 LTS. (CVE-2015-6240)

Robin Schneider discovered that Ansible's apt_key module did not properly
verify key fingerprints. A remote attacker could possibly use this issue
to perform key injection, leading to the access of sensitive information.
This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
(CVE-2016-8614)

It was discovered that Ansible would expose passwords in certain
instances. An attacker could possibly use specially crafted input related
to this issue to access sensitive information. This issue only affected
Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-10206)

It was discovered that Ansible incorrectly logged sensitive information.
An attacker with local access could possibly use this issue to access
sensitive information. This issue only affected Ubuntu 14.04 LTS, Ubuntu
16.04 LTS, and Ubuntu 18.04 LTS. (CVE-2019-14846)

It was discovered that Ansible's solaris_zone module accepted input without
performing input checking. A remote attacker could possibly use this issue
to enable the execution of arbitrary code. This issue only affected Ubuntu
16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-14904)

It was discovered that Ansible did not generate sufficiently random values,
which could lead to the exposure of passwords. An attacker could possibly
use this issue to access sensitive information. This issue only affected
Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2020-10729)

It was discovered that Ansible's svn module could disclose passwords to
users within the same node. An attacker could possibly use this issue to
access sensitive information. (CVE-2020-1739)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04

• ansible - 2.9.6+dfsg-1ubuntu0.1~esm3
  Available with Ubuntu Pro

Ubuntu 18.04

• ansible - 2.5.1+dfsg-1ubuntu0.1+esm5
  Available with Ubuntu Pro

Ubuntu 16.04

• ansible - 2.0.0.2-2ubuntu1.3+esm5
  Available with Ubuntu Pro
• ansible-fireball - 2.0.0.2-2ubuntu1.3+esm5
  Available with Ubuntu Pro
• ansible-node-fireball - 2.0.0.2-2ubuntu1.3+esm5
  Available with Ubuntu Pro

Ubuntu 14.04

• ansible - 1.5.4+dfsg-1ubuntu0.1~esm3
• ansible-fireball - 1.5.4+dfsg-1ubuntu0.1~esm3
• ansible-node-fireball - 1.5.4+dfsg-1ubuntu0.1~esm3

In general, a standard system update will make all the necessary changes.

References

• CVE-2019-14904
• CVE-2020-1739
• CVE-2020-10729
• CVE-2019-14846
• CVE-2019-10206
• CVE-2015-6240
• CVE-2016-8614
• CVE-2015-3908