{
  "threat_severity" : "Important",
  "public_date" : "2020-08-31T00:00:00Z",
  "bugzilla" : {
    "description" : "ansible: dnf module install packages with no GPG signature",
    "id" : "1869154",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1869154"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-347",
  "details" : [ "A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.", "A flaw was found in the Ansible Engine when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability." ],
  "statement" : "Ansible Engine 2.8.14 and 2.9.12 as well as previous versions versions are affected.\nAnsible Tower 3.7.2 and 3.6.5 as well as previous versions are affected for containerized versions and has been fixed indirectly in the 3.6.6 and 3.7.3 releases. For non-containerized Ansible Tower versions, the fix is provided via yum update or yum install.\nRed Hat Gluster Storage(RHGS) 3, Red Hat Ceph Storage (RHCS) 2 and 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository. As RHCS 2 and 3 do not use dnf, impact rating is reduced to Low. RHCS still ship ansible separately for Ceph on Ubuntu, but Ubuntu is not impacted by this vulnerability as it uses apt instead of dnf.\nRed Hat OpenStack Platform 10 and 13 ship a vulnerable version of Ansible, however installation of packages is done via yum instead of dnf so this flaw will have no effect.",
  "acknowledgement" : "Red Hat would like to thank Bruno Travouillon (Atos) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Ansible Engine 2.8 for RHEL 7",
    "release_date" : "2020-09-01T00:00:00Z",
    "advisory" : "RHSA-2020:3600",
    "cpe" : "cpe:/a:redhat:ansible_engine:2.8::el7",
    "package" : "ansible-0:2.8.15-1.el7ae"
  }, {
    "product_name" : "Red Hat Ansible Engine 2.8 for RHEL 8",
    "release_date" : "2020-09-01T00:00:00Z",
    "advisory" : "RHSA-2020:3600",
    "cpe" : "cpe:/a:redhat:ansible_engine:2.8::el8",
    "package" : "ansible-0:2.8.15-1.el8ae"
  }, {
    "product_name" : "Red Hat Ansible Engine 2.9 for RHEL 7",
    "release_date" : "2020-09-01T00:00:00Z",
    "advisory" : "RHSA-2020:3601",
    "cpe" : "cpe:/a:redhat:ansible_engine:2.9::el7",
    "package" : "ansible-0:2.9.13-1.el7ae"
  }, {
    "product_name" : "Red Hat Ansible Engine 2.9 for RHEL 8",
    "release_date" : "2020-09-01T00:00:00Z",
    "advisory" : "RHSA-2020:3601",
    "cpe" : "cpe:/a:redhat:ansible_engine:2.9::el8",
    "package" : "ansible-0:2.9.13-1.el8ae"
  }, {
    "product_name" : "Red Hat Ansible Engine 2 for RHEL 7",
    "release_date" : "2020-09-01T00:00:00Z",
    "advisory" : "RHSA-2020:3602",
    "cpe" : "cpe:/a:redhat:ansible_engine:2::el7",
    "package" : "ansible-0:2.9.13-1.el7ae"
  }, {
    "product_name" : "Red Hat Ansible Engine 2 for RHEL 8",
    "release_date" : "2020-09-01T00:00:00Z",
    "advisory" : "RHSA-2020:3602",
    "cpe" : "cpe:/a:redhat:ansible_engine:2::el8",
    "package" : "ansible-0:2.9.13-1.el8ae"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Ansible Tower 3",
    "fix_state" : "Will not fix",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:ansible_tower:3"
  }, {
    "product_name" : "Red Hat Ceph Storage 2",
    "fix_state" : "Will not fix",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:ceph_storage:2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Ceph Storage 3",
    "fix_state" : "Will not fix",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:ceph_storage:3",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenStack Platform 10 (Newton)",
    "fix_state" : "Will not fix",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:openstack:10",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Will not fix",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:openstack:13",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Will not fix",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-14365\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-14365" ],
  "name" : "CVE-2020-14365",
  "mitigation" : {
    "value" : "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.",
    "lang" : "en:us"
  },
  "csaw" : false
}