CVE-2021-31918 – This vulnerability exposes Ansible log files to... (How to Fix)

Q: What is the severity of CVE-2021-31918?

CVE-2021-31918 has a CVSS score of 7.5 (HIGH). This vulnerability exposes Ansible log files to all users during OpenStack stack operations, potentially revealing sensitive configuration data and credentials. It affects Red Hat OpenStack Platform 16.1 deployments using tripleo-ansible. The primary risk is unauthorized information disclosure.

📋 TL;DR

This vulnerability exposes Ansible log files to all users during OpenStack stack operations, potentially revealing sensitive configuration data and credentials. It affects Red Hat OpenStack Platform 16.1 deployments using tripleo-ansible. The primary risk is unauthorized information disclosure.

💻 Affected Systems

Products:

Red Hat OpenStack Platform

Versions: 16.1

Operating Systems: Red Hat Enterprise Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using tripleo-ansible during stack update or creation operations.

📦 What is this software?

Openstack by Redhat

View all CVEs affecting Openstack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to sensitive credentials, API keys, or configuration secrets stored in Ansible logs, leading to complete system compromise or data exfiltration.

🟠

Likely Case

Unauthorized users read sensitive operational data, configuration details, or partial credentials from log files, potentially enabling further attacks.

🟢

If Mitigated

Log files remain inaccessible to unauthorized users, limiting exposure to only authorized administrators with proper access controls.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local user access to read log files during specific OpenStack operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: tripleo-ansible-10.5.2-1.20210422163547.el8ost

Vendor Advisory: https://access.redhat.com/errata/RHSA-2021:2427

Restart Required: No

Instructions:

1. Update tripleo-ansible package to version 10.5.2-1.20210422163547.el8ost or later. 2. Apply via yum update: 'yum update tripleo-ansible'. 3. No service restart required.

🔧 Temporary Workarounds

Manual log file permission adjustment

linux

Temporarily set restrictive permissions on Ansible log files during stack operations

chmod 600 /var/log/ansible/*.log
chown root:root /var/log/ansible/*.log

🧯 If You Can't Patch

Implement strict access controls to limit user access to log directories
Monitor and audit access to Ansible log files for unauthorized reading attempts

🔍 How to Verify

Check if Vulnerable:

Check tripleo-ansible package version: 'rpm -q tripleo-ansible'. If version is earlier than 10.5.2-1.20210422163547.el8ost, system is vulnerable.

Check Version:

rpm -q tripleo-ansible

Verify Fix Applied:

Verify package update: 'rpm -q tripleo-ansible' should show version 10.5.2-1.20210422163547.el8ost or later. Check log file permissions: 'ls -la /var/log/ansible/' should show restricted access.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /var/log/ansible/ directory
Multiple failed permission checks on log files

Network Indicators:

N/A - local file access vulnerability

SIEM Query:

source="/var/log/secure" AND ("Permission denied" AND "/var/log/ansible") OR ("access" AND "/var/log/ansible" AND "failed")

📊 Metadata

CVE ID: CVE-2021-31918

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

Published: May 6, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1954250 Issue Tracking,Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1954250 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31918, you might also want to check these: