Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 553
Alerts This Week
Warning Icon 1 553

Red Hat Ansible Tower 3.7.2-1 RHEL7 Moderate Advisory RHSA-2020-3328-01

red hat
Calendar Grey August 5, 2020
Dist Redhat Esm H88
Ubuntu issues important patches for Juju 2.8.1-3 on RHEL8, addressing multiple security flaws including RCE.
Red Hat Ansible Tower 3.7.2-1 - RHEL7 Container 2

Solution

For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://legacy-controller-docs.ansible.com/ansible-tower/ index.html

Summary

* Updated Named URLs to allow for testing the presence or absence of objects (CVE-2020-14337) * Fixed Tower Server Side Request Forgery on Credentials (CVE-2020-14327) * Fixed Tower Server Side Request Forgery on Webhooks (CVE-2020-14328) * Fixed Tower sensitive data exposure on labels (CVE-2020-14329) * Added local caching for downloaded roles and collections so they are not re-downloaded on nodes where they have already been updated * Fixed Tower’s task scheduler to no longer deadlock for clustered installations with large numbers of nodes * Fixed the Credential Type definitions to no longer allow superusers to run unsafe Python code * Fixed credential lookups from CyberArk AIM to no longer fail unexpectedly * Fixed upgrades from 3.5 to 3.6 on RHEL8 in order for PostgreSQL client libraries to be upgraded on Tower nodes, which fixes the backup/restore function * Fixed backup/restore for PostgreSQL usernames that include capital letters* Fixed manually added host variables to no longer be removed on VMWare vCenter inventory syncs * Fixed Red Hat Satellite inventory syncs to allow Tower to properly respect the ``verify_ssl flag``

References

https://access.redhat.com/security/cve/CVE-2020-14327 https://access.redhat.com/security/cve/CVE-2020-14328 https://access.redhat.com/security/cve/CVE-2020-14329 https://access.redhat.com/security/cve/CVE-2020-14337 https://access.redhat.com/security/updates/classification#moderate

Package List


Advisory ID: RHSA-2020:3328-01
Product: Red Hat Ansible Tower
Issue date: 2020-08-05

Topic

Red Hat Ansible Tower 3.7.2-1 - RHEL7 Container

Relevant Releases Architectures

Bugs Fixed

1856785 - CVE-2020-14327 Tower: SSRF: Server Side Request Forgery on Credential

1856786 - CVE-2020-14328 Tower: SSRF: Server Side Request Forgery on webhooks

1856787 - CVE-2020-14329 Tower: Sensitive Data Exposure on Label

1859139 - CVE-2020-14337 Tower: Named URLs allow for testing the presence or absence of objects

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.