CVE-2019-14846
📋 TL;DR
This vulnerability in Ansible Engine allows credential disclosure through DEBUG-level logging when plugins use libraries that log credentials at that level. It affects all Ansible Engine versions up to 2.8.5, 2.7.13, and 2.6.19. The flaw does not affect Ansible modules as they execute in separate processes.
💻 Affected Systems
- Ansible Engine
📦 What is this software?
Backports Sle by Opensuse
Leap by Opensuse
Openstack by Redhat
⚠️ Risk & Real-World Impact
Worst Case
Sensitive credentials (passwords, API keys, tokens) are exposed in log files, potentially leading to unauthorized access to managed systems and data breaches.
Likely Case
Credentials inadvertently logged in debug output could be accessed by administrators or attackers with log file access, compromising authentication security.
If Mitigated
With proper log access controls and monitoring, credential exposure is limited to authorized personnel only.
🎯 Exploit Status
Exploitation requires existing access to log files where DEBUG logging is enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Ansible Engine 2.8.6, 2.7.14, 2.6.20 and later
Vendor Advisory: https://access.redhat.com/errata/RHSA-2019:3201
Restart Required: No
Instructions:
1. Update Ansible Engine to version 2.8.6, 2.7.14, or 2.6.20 or later. 2. Use package manager: 'yum update ansible' or 'apt-get update && apt-get upgrade ansible'. 3. Verify installation with 'ansible --version'.
🔧 Temporary Workarounds
Disable DEBUG logging
allConfigure Ansible to not log at DEBUG level to prevent credential exposure.
Set 'log_level = WARNING' or higher in ansible.cfg under [defaults] section
Restrict log file access
linuxLimit access to Ansible log files to authorized personnel only.
chmod 600 /var/log/ansible.log
setfacl -m u:ansible:r /var/log/ansible.log
🧯 If You Can't Patch
- Disable DEBUG logging globally in ansible.cfg configuration
- Implement strict access controls on log directories and files
🔍 How to Verify
Check if Vulnerable:
Check Ansible version with 'ansible --version'. If version is 2.8.5 or earlier, 2.7.13 or earlier, or 2.6.19 or earlier, system is vulnerable.Check Version:
ansible --version | grep 'ansible'Verify Fix Applied:
Verify Ansible version is 2.8.6+, 2.7.14+, or 2.6.20+ with 'ansible --version'.📡 Detection & Monitoring
Log Indicators:
- DEBUG level log entries containing password, secret, token, or credential strings
- Unexpected access to Ansible log files
Network Indicators:
- None - this is a local logging vulnerability
SIEM Query:
source="ansible.log" AND log_level="DEBUG" AND (password OR secret OR token OR credential)🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
- https://access.redhat.com/errata/RHSA-2019:3201
- https://access.redhat.com/errata/RHSA-2019:3202
- https://access.redhat.com/errata/RHSA-2019:3203
- https://access.redhat.com/errata/RHSA-2019:3207
- https://access.redhat.com/errata/RHSA-2020:0756
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14846
- https://github.com/ansible/ansible/pull/63366
- https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html
- https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
- https://www.debian.org/security/2021/dsa-4950
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
- https://access.redhat.com/errata/RHSA-2019:3201
- https://access.redhat.com/errata/RHSA-2019:3202
- https://access.redhat.com/errata/RHSA-2019:3203
- https://access.redhat.com/errata/RHSA-2019:3207
- https://access.redhat.com/errata/RHSA-2020:0756
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14846
- https://github.com/ansible/ansible/pull/63366
- https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html
- https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
- https://www.debian.org/security/2021/dsa-4950
