Vulnerability CVE-2016-8614

Vulnerability Name:

CVE-2016-8614 (CCN-148462)

Assigned:

2016-11-01

Published:

2016-11-01

Updated:

2019-10-09

Summary:

A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Complete Availibility (A): None

Vulnerability Type:

CWE-320

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2016-8614

Source: BID
Type: Third Party Advisory, VDB Entry
94108

Source: CCN
Type: BID-94108
Ansible CVE-2016-8614 Security Bypass Vulnerability

Source: CCN
Type: Red Hat Bugzilla Bug 1388038
(CVE-2016-8614) CVE-2016-8614 ansible: Improper verification of key fingerprints in apt_key module

Source: CONFIRM
Type: Exploit, Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614

Source: XF
Type: UNKNOWN
ansible-cve20168614-sec-bypass(148462)

Source: CCN
Type: ansible-modules-core GIT Repository
[security] apt_key module does not verify key fingerprints #5237

Source: CONFIRM
Type: Exploit, Third Party Advisory
https://github.com/ansible/ansible-modules-core/issues/5237

Source: CONFIRM
Type: Third Party Advisory
https://github.com/ansible/ansible-modules-core/pull/5353

Source: CONFIRM
Type: Third Party Advisory
https://github.com/ansible/ansible-modules-core/pull/5357

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2016-8614

Vulnerable Configuration:

Configuration 1:

cpe:/a:redhat:ansible:*:*:*:*:*:*:*:* (Version < 2.2.0)

Configuration CCN 1:

cpe:/a:redhat:ansible:2.1.3:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20168614	V	CVE-2016-8614	2022-05-22
oval:org.opensuse.security:def:34008	P	Security update for openssh (Important)	2021-12-02
oval:org.opensuse.security:def:33744	P	Security update for java-1_8_0-openjdk (Important)	2021-11-23
oval:org.opensuse.security:def:60340	P	Security update for openssl-1_1 (Important)	2021-08-24
oval:org.opensuse.security:def:33959	P	Security update for java-1_8_0-openjdk (Important)	2021-08-20
oval:org.opensuse.security:def:33901	P	Security update for cups (Important)	2021-04-30
oval:org.opensuse.security:def:30067	P	Security update for gdm (Important)	2021-04-28
oval:org.opensuse.security:def:29348	P	Security update for sudo (Important)	2021-04-20
oval:org.opensuse.security:def:34047	P	Security update for tomcat (Important)	2021-03-30
oval:org.opensuse.security:def:29479	P	Security update for grub2 (Important)	2021-03-02
oval:org.opensuse.security:def:59856	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:60456	P	Security update for tomcat (Moderate)	2021-02-19
oval:org.opensuse.security:def:30023	P	Security update for wpa_supplicant (Important)	2021-02-15
oval:org.opensuse.security:def:60300	P	Security update for postgresql, postgresql12, postgresql13 (Important)	2021-01-26
oval:org.opensuse.security:def:33656	P	Security update for dovecot22 (Important)	2021-01-04
oval:org.opensuse.security:def:30004	P	Security update for flac (Moderate)	2021-01-04
oval:org.opensuse.security:def:29965	P	Security update for cyrus-sasl (Important)	2020-12-28
oval:org.opensuse.security:def:61058	P	Security update for openexr (Moderate)	2020-12-23
oval:org.opensuse.security:def:33276	P	unixODBC_23 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60718	P	Security update for python3-requests (Moderate)	2020-12-01
oval:org.opensuse.security:def:30742	P	Security update for ansible (Moderate)	2020-12-01
oval:org.opensuse.security:def:29708	P	Security update for MozillaFirefox	2020-12-01
oval:org.opensuse.security:def:60761	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:25187	P	Security update for java-1_7_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:25633	P	Security update for perl-DBI (Important)	2020-12-01
oval:org.opensuse.security:def:60815	P	Security update for python3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:24904	P	Security update for git (Important)	2020-12-01
oval:org.opensuse.security:def:25531	P	Security update for ucode-intel (Moderate)	2020-12-01
oval:org.opensuse.security:def:34754	P	Security update for MozillaFirefox, mozilla-nss, mozilla-nspr (Important)	2020-12-01
oval:org.opensuse.security:def:25106	P	Security update for webkit2gtk3 (Important)	2020-12-01
oval:org.opensuse.security:def:60634	P	Security update for openssl (Moderate)	2020-12-01
oval:org.opensuse.security:def:29277	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:26350	P	Security update for ansible (Moderate)	2020-12-01
oval:org.opensuse.security:def:25328	P	Security update for spice (Moderate)	2020-12-01
oval:org.opensuse.security:def:61028	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:33599	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:34072	P	Security update for libxml2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:24979	P	Security update for polkit (Moderate)	2020-12-01
oval:org.opensuse.security:def:33275	P	tomcat6 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29861	P	Security update for Linux Kernel	2020-12-01
oval:org.opensuse.security:def:60711	P	Security update for java-1_7_1-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:25677	P	Security update for raptor (Important)	2020-12-01
oval:org.opensuse.security:def:33503	P	Security update for nagios	2020-12-01
oval:org.opensuse.security:def:60899	P	Security update for mariadb (Moderate)	2020-12-01
oval:org.opensuse.security:def:24915	P	Security update for mariadb (Important)	2020-12-01
oval:org.opensuse.security:def:60600	P	Security update for postgresql10 (Important)	2020-12-01
oval:org.opensuse.security:def:34794	P	Security update for ansible (Moderate)	2020-12-01
oval:org.opensuse.security:def:30705	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:29623	P	Security update for bsdtar (Moderate)	2020-12-01
oval:org.opensuse.security:def:60672	P	Security update for python-PyKMIP (Moderate)	2020-12-01
oval:org.opensuse.security:def:33368	P	Security update for wget (Moderate)	2020-12-01
oval:org.opensuse.security:def:25619	P	Security update for libmspack (Moderate)	2020-12-01
oval:org.opensuse.security:def:29266	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:25478	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:60978	P	Security update for java-1_8_0-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:60111	P	Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:34116	P	Security update for nautilus (Low)	2020-12-01
oval:org.opensuse.security:def:29566	P	Security update for OpenEXR (Moderate)	2020-12-01
oval:org.opensuse.security:def:33287	P	x3270 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60552	P	sysvinit-tools on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29265	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:29916	P	Security update for libcroco (Moderate)	2020-12-01
oval:org.opensuse.security:def:60790	P	Security update for ansible, ardana-ansible, ardana-cinder, ardana-glance, ardana-mq, ardana-nova, ardana-osconfig, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, grafana-natel-discrete-panel, openstack-cinder, openstack-monasca-installer, openstack-neutron, openstack-nova, python-Django, python-Flask-Cors, python-Pillow, python-ardana-packager, python-keystoneclient, python-keystonemiddleware, python-kombu, python-straight-plugin, python-urllib3, release-notes-suse-openstack-cloud, storm, storm-kit, venv-openstack-cinder, venv-openstack-swift (Important)	2020-12-01
oval:org.opensuse.security:def:60041	P	Security update for bash (Important)	2020-12-01
oval:org.opensuse.security:def:26315	P	Security update for MozillaThunderbird (Moderate)	2020-12-01
oval:org.opensuse.security:def:25244	P	Security update for log4j (Important)	2020-12-01
oval:org.opensuse.security:def:60937	P	Security update for galera-3, mariadb, mariadb-connector-c (Important)	2020-12-01
oval:org.opensuse.security:def:84056	P	Security update for ansible, ardana-ansible, ardana-cinder, ardana-glance, ardana-mq, ardana-nova, ardana-osconfig, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, grafana-natel-discrete-panel, openstack-cinder, openstack-monasca-installer, openstack-neutron, openstack-nova, python-Django, python-Flask-Cors, python-Pillow, python-ardana-packager, python-keystoneclient, python-keystonemiddleware, python-kombu, python-straight-plugin, python-urllib3, release-notes-suse-openstack-cloud, storm, storm-kit, venv-openstack-cinder, venv-openstack-swift (Important)	2020-11-12
oval:org.opensuse.security:def:84511	P	Security update for ansible, ardana-ansible, ardana-cinder, ardana-glance, ardana-mq, ardana-nova, ardana-osconfig, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, grafana-natel-discrete-panel, openstack-cinder, openstack-monasca-installer, openstack-neutron, openstack-nova, python-Django, python-Flask-Cors, python-Pillow, python-ardana-packager, python-keystoneclient, python-keystonemiddleware, python-kombu, python-straight-plugin, python-urllib3, release-notes-suse-openstack-cloud, storm, storm-kit, venv-openstack-cinder, venv-openstack-swift (Important)	2020-11-12
oval:com.ubuntu.bionic:def:201686140000000	V	CVE-2016-8614 on Ubuntu 18.04 LTS (bionic) - medium.	2018-07-31
oval:com.ubuntu.xenial:def:20168614000	V	CVE-2016-8614 on Ubuntu 16.04 LTS (xenial) - medium.	2018-07-31
oval:com.ubuntu.xenial:def:201686140000000	V	CVE-2016-8614 on Ubuntu 16.04 LTS (xenial) - medium.	2018-07-31
oval:com.ubuntu.bionic:def:20168614000	V	CVE-2016-8614 on Ubuntu 18.04 LTS (bionic) - medium.	2018-07-31
oval:com.ubuntu.disco:def:201686140000000	V	CVE-2016-8614 on Ubuntu 19.04 (disco) - medium.	2018-07-31
oval:com.ubuntu.cosmic:def:20168614000	V	CVE-2016-8614 on Ubuntu 18.10 (cosmic) - medium.	2018-07-31
oval:com.ubuntu.cosmic:def:201686140000000	V	CVE-2016-8614 on Ubuntu 18.10 (cosmic) - medium.	2018-07-31
oval:com.ubuntu.trusty:def:20168614000	V	CVE-2016-8614 on Ubuntu 14.04 LTS (trusty) - medium.	2018-07-31
oval:com.ubuntu.artful:def:20168614000	V	CVE-2016-8614 on Ubuntu 17.10 (artful) - medium.	2016-11-02

BACK