{ "threat_severity" : "Moderate", "public_date" : "2018-11-16T00:00:00Z", "bugzilla" : { "description" : "ansible: become password logged in plaintext when used with PowerShell on Windows", "id" : "1649607", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1649607" }, "cvss3" : { "cvss3_base_score" : "4.2", "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-532", "details" : [ "Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable.", "Execution of Ansible content on Microsoft's Windows platform with Powershell 5 or higher may disclose sensitive execution details including 'become' passwords, Ansible module arguments, and return values via Powershell's 'suspicious scriptblock logging' feature, which is enabled by default. The details are logged to the Powershell Operational log, which is visible to all authenticated users by default." ], "statement" : "CloudForms and Satellite 6 are not affected by this issue, since Microsoft Windows is not a supported platform.", "acknowledgement" : "Red Hat would like to thank Igor Turovsky for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat Ansible Engine 2.5 for RHEL 7", "release_date" : "2018-12-04T00:00:00Z", "advisory" : "RHSA-2018:3770", "cpe" : "cpe:/a:redhat:ansible_engine:2.5::el7", "package" : "ansible-0:2.5.13-1.el7ae" }, { "product_name" : "Red Hat Ansible Engine 2.6 for RHEL 7", "release_date" : "2018-12-04T00:00:00Z", "advisory" : "RHSA-2018:3771", "cpe" : "cpe:/a:redhat:ansible_engine:2.6::el7", "package" : "ansible-0:2.6.10-1.el7ae" }, { "product_name" : "Red Hat Ansible Engine 2.7 for RHEL 7", "release_date" : "2018-12-04T00:00:00Z", "advisory" : "RHSA-2018:3773", "cpe" : "cpe:/a:redhat:ansible_engine:2.7::el7", "package" : "ansible-0:2.7.4-1.el7ae" }, { "product_name" : "Red Hat Ansible Engine 2 for RHEL 7", "release_date" : "2018-12-04T00:00:00Z", "advisory" : "RHSA-2018:3772", "cpe" : "cpe:/a:redhat:ansible_engine:2::el7", "package" : "ansible-0:2.7.4-1.el7ae" } ], "package_state" : [ { "product_name" : "CloudForms Management Engine 5", "fix_state" : "Not affected", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5" }, { "product_name" : "Red Hat Ceph Storage 2", "fix_state" : "Will not fix", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:ceph_storage:2" }, { "product_name" : "Red Hat Ceph Storage 3", "fix_state" : "Affected", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:ceph_storage:3" }, { "product_name" : "Red Hat OpenShift Container Platform 3.2", "fix_state" : "Not affected", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:openshift:3.2" }, { "product_name" : "Red Hat OpenShift Container Platform 3.3", "fix_state" : "Not affected", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:openshift:3.3" }, { "product_name" : "Red Hat OpenShift Container Platform 3.4", "fix_state" : "Will not fix", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:openshift:3.4" }, { "product_name" : "Red Hat OpenShift Container Platform 3.5", "fix_state" : "Will not fix", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:openshift:3.5" }, { "product_name" : "Red Hat OpenShift Container Platform 3.6", "fix_state" : "Will not fix", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:openshift:3.6" }, { "product_name" : "Red Hat OpenShift Container Platform 3.7", "fix_state" : "Affected", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:openshift:3.7", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Enterprise 3.0", "fix_state" : "Not affected", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:openshift:3.0" }, { "product_name" : "Red Hat OpenShift Enterprise 3.1", "fix_state" : "Not affected", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:openshift:3.1" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Will not fix", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:openstack:10", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 12 (Pike)", "fix_state" : "Will not fix", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:openstack:12", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Will not fix", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:openstack:13", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 14 (Rocky)", "fix_state" : "Will not fix", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:openstack:14", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Will not fix", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:storage:3" }, { "product_name" : "Red Hat Virtualization 4", "fix_state" : "Not affected", "package_name" : "ansible", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-16859\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-16859\nhttps://github.com/ansible/ansible/pull/49142" ], "name" : "CVE-2018-16859", "csaw" : false }