Bcoca

**Name of the Vulnerable Software and Affected Versions** Ansible Engine versions 2.7.x through 2.7.17 Ansible Engine versions 2.8.x through 2.8.11 Ansible Engine versions 2.9.x through 2.9.7 Ansible Tower versions 3.4.5 and earlier Ansible Tower versions 3.5.5 and earlier Ansible Tower versions 3.6.3 and earlier **Description** A flaw was found in Ansible Engine affecting the use of modules that decrypt vault files, such as `assemble`, `script`, `unarchive`, `win copy`, `aws s3`, or `copy` modules. The temporary directory created in `/tmp` leaves sensitive data unencrypted. On operating systems where `/tmp` is not a tmpfs but part of the root partition, the directory is only cleared on boot, and the decrypted data remains when the host is switched off. This leaves the system vulnerable when it is not running. Decrypted data must be cleared as soon as possible. **Recommendations** For Ansible Engine versions 2.7.x through 2.7.17, update to version 2.7.17 or later. For Ansible Engine versions 2.8.x through 2.8.11, update to version 2.8.11 or later. For Ansible Engine versions 2.9.x through 2.9.7, update to version 2.9.7 or later. For Ansible Tower versions 3.4.5 and earlier, update to a version later than 3.4.5. For Ansible Tower versions 3.5.5 and earlier, update to a version later than 3.5.5. For Ansible Tower versions 3.6.3 and earlier, update to a version later than 3.6.3. As a temporary workaround, consider clearing the temporary directory in `/tmp` as soon as possible to minimize the risk of exploitation. Restrict access to the vulnerable modules, such as `assemble`, `script`, `unarchive`, `win copy`, `aws s3`, or `copy`, until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Ansible Engine versions 2.7.x prior to 2.7.17 Ansible Engine versions 2.8.x prior to 2.8.11 Ansible Engine versions 2.9.x prior to 2.9.7 **Description** A security flaw was found in Ansible Engine when managing Kubernetes using the k8s module. Sensitive parameters such as `passwords` and `tokens` are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose `passwords` and `tokens` from the process list, and the `no log` directive from the debug module would not have any effect, making these secrets disclosed on stdout and log files. **Recommendations** For Ansible Engine versions 2.7.x prior to 2.7.17, update to version 2.7.17 or later. For Ansible Engine versions 2.8.x prior to 2.8.11, update to version 2.8.11 or later. For Ansible Engine versions 2.9.x prior to 2.9.7, update to version 2.9.7 or later. As a temporary workaround, consider restricting access to the k8s module until a patch is available. Avoid using sensitive parameters such as `passwords` and `tokens` in the k8s module until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Ansible versions prior to 2.6.18 Ansible versions prior to 2.7.12 Ansible versions prior to 2.8.2 **Description** A flaw was discovered in the way Ansible templating was implemented, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution, the content of any variable may be disclosed. This issue may allow a remote attacker to access and compromise confidential data. **Recommendations** For versions prior to 2.6.18, update to version 2.6.18 or later. For versions prior to 2.7.12, update to version 2.7.12 or later. For versions prior to 2.8.2, update to version 2.8.2 or later.