2 files changed, 11 insertions, 1 deletions

diff --git a/changelogs/fragments/boto-logging-credentials.yml b/changelogs/fragments/boto-logging-credentials.yml
new file mode 100644
index 0000000000..5a2b47be8e
--- /dev/null
+++ b/changelogs/fragments/boto-logging-credentials.yml
@@ -0,0 +1,10 @@
+bugfixes:
+        - "**SECURITY** - CVE-2019-14846 - Several Ansible plugins could disclose aws credentials
+          in log files.  inventory/aws_ec2.py, inventory/aws_rds.py,
+          lookup/aws_account_attribute.py, and lookup/aws_secret.py, lookup/aws_ssm.py use the
+          boto3 library from the Ansible process. The boto3 library logs credentials at log level
+          DEBUG.  If Ansible's logging was enabled (by setting LOG_PATH to a value) Ansible would
+          set the global log level to DEBUG.  This was inherited by boto and would then log boto
+          credentials to the file specified by LOG_PATH.  This did not affect aws ansible modules
+          as those are executed in a separate process.  This has been fixed by switching to log
+          level INFO"
diff --git a/lib/ansible/utils/display.py b/lib/ansible/utils/display.py
index 2f21646467..175a337778 100644
--- a/lib/ansible/utils/display.py
+++ b/lib/ansible/utils/display.py
@@ -60,7 +60,7 @@ logger = None
 if getattr(C, 'DEFAULT_LOG_PATH'):
     path = C.DEFAULT_LOG_PATH
     if path and (os.path.exists(path) and os.access(path, os.W_OK)) or os.access(os.path.dirname(path), os.W_OK):
-        logging.basicConfig(filename=path, level=logging.DEBUG, format='%(asctime)s %(name)s %(message)s')
+        logging.basicConfig(filename=path, level=logging.INFO, format='%(asctime)s %(name)s %(message)s')
         mypid = str(os.getpid())
         user = getpass.getuser()
         logger = logging.getLogger("p=%s u=%s | " % (mypid, user))