CVE-2020-10685

Name of the Vulnerable Software and Affected Versions Ansible Engine versions 2.7.x through 2.7.17 Ansible Engine versions 2.8.x through 2.8.11 Ansible Engine versions 2.9.x through 2.9.7 Ansible Tower versions 3.4.5 and earlier Ansible Tower versions 3.5.5 and earlier Ansible Tower versions 3.6.3 and earlier

Description A flaw was found in Ansible Engine affecting the use of modules that decrypt vault files, such as assemble, script, unarchive, win copy, aws s3, or copy modules. The temporary directory created in /tmp leaves sensitive data unencrypted. On operating systems where /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot, and the decrypted data remains when the host is switched off. This leaves the system vulnerable when it is not running. Decrypted data must be cleared as soon as possible.

Recommendations For Ansible Engine versions 2.7.x through 2.7.17, update to version 2.7.17 or later. For Ansible Engine versions 2.8.x through 2.8.11, update to version 2.8.11 or later. For Ansible Engine versions 2.9.x through 2.9.7, update to version 2.9.7 or later. For Ansible Tower versions 3.4.5 and earlier, update to a version later than 3.4.5. For Ansible Tower versions 3.5.5 and earlier, update to a version later than 3.5.5. For Ansible Tower versions 3.6.3 and earlier, update to a version later than 3.6.3. As a temporary workaround, consider clearing the temporary directory in /tmp as soon as possible to minimize the risk of exploitation. Restrict access to the vulnerable modules, such as assemble, script, unarchive, win copy, aws s3, or copy, until the issue is resolved.