New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sumologic callback plugin logging sensitive data #63522
Labels
affects_2.7
This issue/PR affects Ansible v2.7
bug
This issue/PR relates to a bug.
has_pr
This issue has an associated PR.
support:core
This issue/PR relates to code supported by the Ansible Engineering Team.
Comments
|
Files identified in the description: If these files are inaccurate, please update the |
poblahblahblah
added a commit
to poblahblahblah/ansible
that referenced
this issue
Oct 15, 2019
poblahblahblah
added a commit
to poblahblahblah/ansible
that referenced
this issue
Oct 15, 2019
|
I did a cursory glance through the splunk callback plugin and I think this impacts splunk as well, but I don't have a splunk subscription so I can't test it to verify. |
poblahblahblah
added a commit
to poblahblahblah/ansible
that referenced
this issue
Oct 16, 2019
as it can contain sensitive data Fixes ansible#63522
poblahblahblah
added a commit
to poblahblahblah/ansible
that referenced
this issue
Oct 16, 2019
as it can contain sensitive data Fixes ansible#63522
Akasurde
pushed a commit
to poblahblahblah/ansible
that referenced
this issue
Oct 31, 2019
CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs Fixes ansible#63522 Signed-off-by: Patrick O’Brien <patrick.obrien@thetradedesk.com> Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Akasurde
pushed a commit
that referenced
this issue
Nov 1, 2019
…ugin(#63527) CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs Fixes #63522 Signed-off-by: Patrick O’Brien <patrick.obrien@thetradedesk.com> Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Akasurde
pushed a commit
to Akasurde/ansible
that referenced
this issue
Nov 1, 2019
…unk plugin CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs Fixes ansible#63522 Signed-off-by: Patrick O’Brien <patrick.obrien@thetradedesk.com> Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> (cherry picked from commit c76e074)
Akasurde
pushed a commit
to Akasurde/ansible
that referenced
this issue
Nov 1, 2019
…unk plugin CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs Fixes ansible#63522 Signed-off-by: Patrick O’Brien <patrick.obrien@thetradedesk.com> Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> (cherry picked from commit c76e074)
This was referenced Nov 1, 2019
nitzmahone
pushed a commit
that referenced
this issue
Nov 12, 2019
…unk plugin (#64274) CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs Fixes #63522 Signed-off-by: Patrick O’Brien <patrick.obrien@thetradedesk.com> Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> (cherry picked from commit c76e074)
nitzmahone
pushed a commit
that referenced
this issue
Nov 12, 2019
…unk plugin (#64273) CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs Fixes #63522 Signed-off-by: Patrick O’Brien <patrick.obrien@thetradedesk.com> Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> (cherry picked from commit c76e074)
nitzmahone
pushed a commit
to nitzmahone/ansible
that referenced
this issue
Nov 12, 2019
…ugin(ansible#63527) CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs Fixes ansible#63522 Signed-off-by: Patrick O’Brien <patrick.obrien@thetradedesk.com> Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> (cherry picked from commit c76e074)
nitzmahone
added a commit
that referenced
this issue
Nov 13, 2019
…ugin(#63527) (#64748) CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs Fixes #63522 Signed-off-by: Patrick O’Brien <patrick.obrien@thetradedesk.com> Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> (cherry picked from commit c76e074)
anshulbehl
pushed a commit
to anshulbehl/ansible
that referenced
this issue
Dec 10, 2019
…ugin(ansible#63527) CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs Fixes ansible#63522 Signed-off-by: Patrick O’Brien <patrick.obrien@thetradedesk.com> Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
affects_2.7
This issue/PR affects Ansible v2.7
bug
This issue/PR relates to a bug.
has_pr
This issue has an associated PR.
support:core
This issue/PR relates to code supported by the Ansible Engineering Team.
SUMMARY
The sumologic plugin logs sensitive data because no_log is not respected for arguments/vars passed to modules via the
ansible_taskobjectISSUE TYPE
COMPONENT NAME
code where ansible_task is defined: https://github.com/ansible/ansible/blob/devel/lib/ansible/plugins/callback/sumologic.py#L107
ANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
MacOS 10.14.6
STEPS TO REPRODUCE
Configure a SumoLogic endpoint and add configuration to ansible.cfg - you can find an example of our callback configs above.
Below we are using a custom module, but this also happens with every other module we've tested. The module we wrote, inventory_node, has no_log: True specified on the api_key argument.
This also happens if no_log: true is passed to any task.
EXPECTED RESULTS
I would expect that we not see the api key show up in SumoLogic.
ACTUAL RESULTS
We see the api key show up in our SumoLogic logs. Below is the full JSON payload that is sent and received.
The
ansible_resultobject correctly removes the sensitive field, butansible_taskobject does not.The text was updated successfully, but these errors were encountered: