RedHat: RHSA-2020-3328:01 Moderate: Red Hat Ansible Tower 3.7.2-1 - RHEL7
Summary
* Updated Named URLs to allow for testing the presence or absence of
objects (CVE-2020-14337)
* Fixed Tower Server Side Request Forgery on Credentials (CVE-2020-14327)
* Fixed Tower Server Side Request Forgery on Webhooks (CVE-2020-14328)
* Fixed Tower sensitive data exposure on labels (CVE-2020-14329)
* Added local caching for downloaded roles and collections so they are not
re-downloaded on nodes where they have already been updated
* Fixed Tower’s task scheduler to no longer deadlock for clustered
installations with large numbers of nodes
* Fixed the Credential Type definitions to no longer allow superusers to
run unsafe Python code
* Fixed credential lookups from CyberArk AIM to no longer fail unexpectedly
* Fixed upgrades from 3.5 to 3.6 on RHEL8 in order for PostgreSQL client
libraries to be upgraded on Tower nodes, which fixes the backup/restore
function
* Fixed backup/restore for PostgreSQL usernames that include capital
letters* Fixed manually added host variables to no longer be removed on VMWare
vCenter inventory syncs
* Fixed Red Hat Satellite inventory syncs to allow Tower to properly
respect the ``verify_ssl flag``
Summary
Solution
For information on upgrading Ansible Tower, reference the Ansible Tower
Upgrade and Migration Guide:
https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/
index.html
References
https://access.redhat.com/security/cve/CVE-2020-14327 https://access.redhat.com/security/cve/CVE-2020-14328 https://access.redhat.com/security/cve/CVE-2020-14329 https://access.redhat.com/security/cve/CVE-2020-14337 https://access.redhat.com/security/updates/classification/#moderate
Package List
Topic
Red Hat Ansible Tower 3.7.2-1 - RHEL7 Container
Topic
Relevant Releases Architectures
Bugs Fixed
1856785 - CVE-2020-14327 Tower: SSRF: Server Side Request Forgery on Credential
1856786 - CVE-2020-14328 Tower: SSRF: Server Side Request Forgery on webhooks
1856787 - CVE-2020-14329 Tower: Sensitive Data Exposure on Label
1859139 - CVE-2020-14337 Tower: Named URLs allow for testing the presence or absence of objects