From 90e74dd2600e5cc42dd9b4f4656f3d651c4ce5c4 Mon Sep 17 00:00:00 2001 From: Toshio Kuratomi Date: Tue, 24 Sep 2019 09:56:19 -0700 Subject: [PATCH] Fix for plugins which used the boto libraries leaking the boto credentials to logs (cherry picked from commit 3753304d209f2fdc28f0b2ebf1e139eb3d8c22b1) https://github.com/ansible/ansible/pull/63366 --- changelogs/fragments/boto-logging-credentials.yml | 10 ++++++++++ lib/ansible/utils/display.py | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 changelogs/fragments/boto-logging-credentials.yml diff --git a/changelogs/fragments/boto-logging-credentials.yml b/changelogs/fragments/boto-logging-credentials.yml new file mode 100644 index 00000000000..5a2b47be8e4 --- /dev/null +++ b/changelogs/fragments/boto-logging-credentials.yml @@ -0,0 +1,10 @@ +bugfixes: + - "**SECURITY** - CVE-2019-14846 - Several Ansible plugins could disclose aws credentials + in log files. inventory/aws_ec2.py, inventory/aws_rds.py, + lookup/aws_account_attribute.py, and lookup/aws_secret.py, lookup/aws_ssm.py use the + boto3 library from the Ansible process. The boto3 library logs credentials at log level + DEBUG. If Ansible's logging was enabled (by setting LOG_PATH to a value) Ansible would + set the global log level to DEBUG. This was inherited by boto and would then log boto + credentials to the file specified by LOG_PATH. This did not affect aws ansible modules + as those are executed in a separate process. This has been fixed by switching to log + level INFO" diff --git a/lib/ansible/utils/display.py b/lib/ansible/utils/display.py index 2f21646467c..175a3377783 100644 --- a/lib/ansible/utils/display.py +++ b/lib/ansible/utils/display.py @@ -60,7 +60,7 @@ logger = None if getattr(C, 'DEFAULT_LOG_PATH'): path = C.DEFAULT_LOG_PATH if path and (os.path.exists(path) and os.access(path, os.W_OK)) or os.access(os.path.dirname(path), os.W_OK): - logging.basicConfig(filename=path, level=logging.DEBUG, format='%(asctime)s %(name)s %(message)s') + logging.basicConfig(filename=path, level=logging.INFO, format='%(asctime)s %(name)s %(message)s') mypid = str(os.getpid()) user = getpass.getuser() logger = logging.getLogger("p=%s u=%s | " % (mypid, user))