Debian dla-3695 : ansible - security update

high Nessus Plugin ID 214484

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3695 advisory.

- ------------------------------------------------------------------------- Debian LTS Advisory DLA-3695-1 [email protected] https://www.debian.org/lts/security/ Bastien Roucaris December 28, 2023 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : ansible Version : 2.7.7+dfsg-1+deb10u2 CVE ID : CVE-2019-10206 CVE-2021-3447 CVE-2021-3583 CVE-2021-3620 CVE-2021-20178 CVE-2021-20191 CVE-2022-3697 CVE-2023-5115 Debian Bug : 1053693

Ansible a configuration management, deployment, and task execution system was affected by multiple vulnerabilities.

CVE-2019-10206

Fix a regression in test suite of CVE-2019-10206.

CVE-2021-3447

A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided when they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality

CVE-2021-3583

A flaw was found in Ansible, where a user's controller is vulnerable to template injection.
This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.

CVE-2021-3620

A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.

CVE-2021-20178

A flaw was found in ansible module snmp_fact where credentials are disclosed in the console log by default and not protected by the security feature This flaw allows an attacker to steal privkey and authkey credentials. The highest threat from this vulnerability is to confidentiality.

CVE-2021-20191

A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using Cisco nxos moduel.
An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.

CVE-2022-3697

A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.

CVE-2023-5115

An absolute path traversal attack existed in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.

For Debian 10 buster, these problems have been fixed in version 2.7.7+dfsg-1+deb10u2.

We recommend that you upgrade your ansible packages.

For the detailed security status of ansible please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/ansible

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the ansible packages.

See Also

https://security-tracker.debian.org/tracker/source-package/ansible

https://security-tracker.debian.org/tracker/CVE-2019-10206

https://packages.debian.org/source/buster/ansible

https://security-tracker.debian.org/tracker/CVE-2022-3697

https://security-tracker.debian.org/tracker/CVE-2021-20191

https://security-tracker.debian.org/tracker/CVE-2021-20178

https://security-tracker.debian.org/tracker/CVE-2021-3583

https://security-tracker.debian.org/tracker/CVE-2021-3620

https://security-tracker.debian.org/tracker/CVE-2023-5115

https://security-tracker.debian.org/tracker/CVE-2021-3447

Plugin Details

Severity: High

ID: 214484

File Name: debian_DLA-3695.nasl

Version: 1.1

Type: local

Agent: unix

Published: 1/22/2025

Updated: 1/22/2025

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2019-10206

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2022-3697

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:10.0, p-cpe:/a:debian:debian_linux:ansible, p-cpe:/a:debian:debian_linux:ansible-doc

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 12/28/2023

Vulnerability Publication Date: 7/24/2019

Reference Information

CVE: CVE-2019-10206, CVE-2021-20178, CVE-2021-20191, CVE-2021-3447, CVE-2021-3583, CVE-2021-3620, CVE-2022-3697, CVE-2023-5115

IAVB: 2021-B-0013-S, 2022-B-0007