Browse code
Fix for plugins which used the boto libraries leaking the boto credentials to logs
(cherry picked from commit 3753304d209f2fdc28f0b2ebf1e139eb3d8c22b1)
https://github.com/ansible/ansible/pull/63366
Toshio Kuratomi authored on 2019/09/25 01:56:19Showing 2 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,10 @@ |
| 0 |
+bugfixes: |
|
| 1 |
+ - "**SECURITY** - CVE-2019-14846 - Several Ansible plugins could disclose aws credentials |
|
| 2 |
+ in log files. inventory/aws_ec2.py, inventory/aws_rds.py, |
|
| 3 |
+ lookup/aws_account_attribute.py, and lookup/aws_secret.py, lookup/aws_ssm.py use the |
|
| 4 |
+ boto3 library from the Ansible process. The boto3 library logs credentials at log level |
|
| 5 |
+ DEBUG. If Ansible's logging was enabled (by setting LOG_PATH to a value) Ansible would |
|
| 6 |
+ set the global log level to DEBUG. This was inherited by boto and would then log boto |
|
| 7 |
+ credentials to the file specified by LOG_PATH. This did not affect aws ansible modules |
|
| 8 |
+ as those are executed in a separate process. This has been fixed by switching to log |
|
| 9 |
+ level INFO" |
| ... | ... |
@@ -60,7 +60,7 @@ logger = None |
| 60 | 60 |
if getattr(C, 'DEFAULT_LOG_PATH'): |
| 61 | 61 |
path = C.DEFAULT_LOG_PATH |
| 62 | 62 |
if path and (os.path.exists(path) and os.access(path, os.W_OK)) or os.access(os.path.dirname(path), os.W_OK): |
| 63 |
- logging.basicConfig(filename=path, level=logging.DEBUG, format='%(asctime)s %(name)s %(message)s') |
|
| 63 |
+ logging.basicConfig(filename=path, level=logging.INFO, format='%(asctime)s %(name)s %(message)s') |
|
| 64 | 64 |
mypid = str(os.getpid()) |
| 65 | 65 |
user = getpass.getuser() |
| 66 | 66 |
logger = logging.getLogger("p=%s u=%s | " % (mypid, user))
|