7.5 - USN-4072-1

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	Ansible vulnerabilities

Informations
Name	USN-4072-1	First vendor Publication	2019-07-24
Vendor	Ubuntu	Last vendor Modification	2019-07-24
Severity (Vendor)	N/A	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score	7.5	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 19.04 - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Ansible.

Software Description: - ansible: Configuration management, deployment, and task execution system

Details:

It was discovered that Ansible failed to properly handle sensitive information. A local attacker could use those vulnerabilities to extract them. (CVE-2017-7481) (CVE-2018-10855) (CVE-2018-16837) (CVE-2018-16876) (CVE-2019-10156)

It was discovered that Ansible could load configuration files from the current working directory containing crafted commands. An attacker could run arbitrary code as result. (CVE-2018-10874) (CVE-2018-10875)

It was discovered that Ansible fetch module had a path traversal vulnerability. A local attacker could copy and overwrite files outside of the specified destination. (CVE-2019-3828)

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04:
ansible 2.7.8+dfsg-1ubuntu0.19.04.1

Ubuntu 18.04 LTS:
ansible 2.5.1+dfsg-1ubuntu0.1

Ubuntu 16.04 LTS:
ansible 2.0.0.2-2ubuntu1.3

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4072-1
CVE-2017-7481, CVE-2018-10855, CVE-2018-10874, CVE-2018-10875,
CVE-2018-16837, CVE-2018-16876, CVE-2019-10156, CVE-2019-3828

Package Information:
https://launchpad.net/ubuntu/+source/ansible/2.7.8+dfsg-1ubuntu0.19.04.1
https://launchpad.net/ubuntu/+source/ansible/2.5.1+dfsg-1ubuntu0.1
https://launchpad.net/ubuntu/+source/ansible/2.0.0.2-2ubuntu1.3

Original Source

Url : http://www.ubuntu.com/usn/USN-4072-1

CWE : Common Weakness Enumeration

%	Id	Name
25 %	CWE-426	Untrusted Search Path
25 %	CWE-200	Information Exposure
12 %	CWE-532	Information Leak Through Log Files
12 %	CWE-311	Missing Encryption of Sensitive Data (CWE/SANS Top 25)
12 %	CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25)
12 %	CWE-20	Improper Input Validation

CPE : Common Platform Enumeration

Type	Description	Count
Application	Redhat Ansible cpe:2.3:a:redhat:ansible:2.0.1:::::::* cpe:2.3:a:redhat:ansible:2.0:::::::* cpe:2.3:a:redhat:ansible:1.2.2:::::::* cpe:2.3:a:redhat:ansible:1.2.1:::::::* cpe:2.3:a:redhat:ansible:1.2:::::::* cpe:2.3:a:redhat:ansible::::::::	6
Application	Redhat Ansible Engine cpe:2.3:a:redhat:ansible_engine:2.7:::::::* cpe:2.3:a:redhat:ansible_engine:2.6:::::::* cpe:2.3:a:redhat:ansible_engine:2.5:::::::* cpe:2.3:a:redhat:ansible_engine:2.4:::::::* cpe:2.3:a:redhat:ansible_engine:2.0:::::::* cpe:2.3:a:redhat:ansible_engine::::::::	6
Application	Redhat Ansible Tower cpe:2.3:a:redhat:ansible_tower:3.3.0:::::::*	1
Application	Redhat Ceph Storage cpe:2.3:a:redhat:ceph_storage:3.0:::::::* cpe:2.3:a:redhat:ceph_storage:2.0:::::::*	2
Application	Redhat Cloudforms cpe:2.3:a:redhat:cloudforms:4.6:::::::*	1
Application	Redhat Gluster Storage cpe:2.3:a:redhat:gluster_storage:3.0.0:::::::*	1
Application	Redhat Openshift cpe:2.3:a:redhat:openshift:3.0::::enterprise:::	1
Application	Redhat Openshift Container Platform cpe:2.3:a:redhat:openshift_container_platform:3.5:::::::* cpe:2.3:a:redhat:openshift_container_platform:3.4:::::::* cpe:2.3:a:redhat:openshift_container_platform:3.3:::::::*	3
Application	Redhat Openstack cpe:2.3:a:redhat:openstack:14:::::::* cpe:2.3:a:redhat:openstack:13:::::::* cpe:2.3:a:redhat:openstack:12:::::::* cpe:2.3:a:redhat:openstack:11:::::::* cpe:2.3:a:redhat:openstack:10:::::::*	5
Application	Redhat Storage Console cpe:2.3:a:redhat:storage_console:2.0:::::::*	1
Application	Redhat Virtualization cpe:2.3:a:redhat:virtualization:4.1:::::::* cpe:2.3:a:redhat:virtualization:4.0:::::::*	2
Application	Redhat Virtualization Host cpe:2.3:a:redhat:virtualization_host:4.0:::::::*	1
Application	Redhat Virtualization Manager cpe:2.3:a:redhat:virtualization_manager:4.1:::::::*	1
Os	Canonical Ubuntu Linux cpe:2.3:o:canonical:ubuntu_linux:19.04:::::::* cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts::: cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::	3
Os	Debian Debian Linux cpe:2.3:o:debian:debian_linux:9.0:::::::* cpe:2.3:o:debian:debian_linux:8.0:::::::*	2
Os	Redhat Enterprise Linux Desktop cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*	1
Os	Redhat Enterprise Linux Server cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*	1
Os	Redhat Enterprise Linux Workstation cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*	1

Nessus® Vulnerability Scanner

Date	Description
2019-01-03	Name : The remote Fedora host is missing a security update. File : fedora_2018-1a6e6196b9.nasl - Type : ACT_GATHER_INFO
2019-01-03	Name : The remote Fedora host is missing a security update. File : fedora_2018-1d2bc76093.nasl - Type : ACT_GATHER_INFO
2019-01-03	Name : The remote Fedora host is missing a security update. File : fedora_2018-615705632d.nasl - Type : ACT_GATHER_INFO
2019-01-03	Name : The remote Fedora host is missing a security update. File : fedora_2018-af82e7c863.nasl - Type : ACT_GATHER_INFO
2018-11-13	Name : The remote Debian host is missing a security update. File : debian_DLA-1576.nasl - Type : ACT_GATHER_INFO
2018-07-24	Name : The remote Fedora host is missing a security update. File : fedora_2018-53790a5236.nasl - Type : ACT_GATHER_INFO
2018-06-25	Name : The remote Fedora host is missing a security update. File : fedora_2018-b619637e45.nasl - Type : ACT_GATHER_INFO
2017-11-13	Name : The remote openSUSE host is missing a security update. File : openSUSE-2017-1259.nasl - Type : ACT_GATHER_INFO
2017-08-29	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2017-2524.nasl - Type : ACT_GATHER_INFO
2017-07-17	Name : The remote Fedora host is missing a security update. File : fedora_2017-49c0ac5ce7.nasl - Type : ACT_GATHER_INFO
2017-06-22	Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2017-1499.nasl - Type : ACT_GATHER_INFO
2017-06-13	Name : The remote Fedora host is missing a security update. File : fedora_2017-6aff7475b7.nasl - Type : ACT_GATHER_INFO
2017-06-12	Name : The remote Fedora host is missing a security update. File : fedora_2017-87a64155eb.nasl - Type : ACT_GATHER_INFO
2017-06-05	Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_15a04b9f47cb11e7a853001fbc0f280f.nasl - Type : ACT_GATHER_INFO
2017-05-30	Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2017-1334.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2019-08-15 12:10:18	Multiple Updates
2019-07-25 05:17:54	First insertion

Global Informations

Type	Count
CWE ID(s)	8
CPE ID(s)	39
Nessus® Exploit(s)	15

	Related
9.8	CVE-2017-7481
7.8	CVE-2018-16837
7.8	CVE-2018-10875
7.8	CVE-2018-10874
5.9	CVE-2018-10855
5.4	CVE-2019-10156
5.3	CVE-2018-16876
4.2	CVE-2019-3828
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 8 more Alert(s)

7.5 - USN-4072-1

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

CPE : Common Platform Enumeration

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU