-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Ansible Tower 3.6.7-1 - Container security and bug fix update
Advisory ID:       RHSA-2021:0778-01
Product:           Red Hat Ansible Tower
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0778
Issue date:        2021-03-09
CVE Names:         CVE-2016-5766 CVE-2018-20843 CVE-2019-11719 
                   CVE-2019-11727 CVE-2019-11756 CVE-2019-12749 
                   CVE-2019-14866 CVE-2019-15903 CVE-2019-17006 
                   CVE-2019-17023 CVE-2019-17498 CVE-2019-19956 
                   CVE-2019-20372 CVE-2019-20388 CVE-2019-20907 
                   CVE-2020-1971 CVE-2020-6829 CVE-2020-7595 
                   CVE-2020-8177 CVE-2020-10543 CVE-2020-10878 
                   CVE-2020-11022 CVE-2020-11023 CVE-2020-12243 
                   CVE-2020-12400 CVE-2020-12401 CVE-2020-12402 
                   CVE-2020-12403 CVE-2020-12723 CVE-2020-35678 
                   CVE-2021-20178 CVE-2021-20180 CVE-2021-20191 
                   CVE-2021-20228 CVE-2021-20253 
====================================================================
1. Summary:

Red Hat Ansible Tower 3.6.7-1 - RHEL7 Container

Red Hat Product Security has rated this update as having a security impact
of
Important. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Security Fix(es):

* Addressed a security issue which can allow a malicious playbook author to
elevate to the awx user from outside the isolated environment:
CVE-2021-20253
* Upgraded to a more recent version of nginx to address CVE-2019-20372
* Upgraded to a more recent version of autobahn to address CVE-2020-35678
* Upgraded to a more recent version of jquery to address CVE-2020-11022 and
CVE-2020-11023

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For information on upgrading Ansible Tower, reference the Ansible Tower
Upgrade and Migration Guide:
https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/
index.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1790277 - CVE-2019-20372 nginx: HTTP request smuggling in configurations with URL redirect used as error_page
1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
1850004 - CVE-2020-11023 jquery: Passing HTML containing

RedHat: RHSA-2021-0778:01 Important: Red Hat Ansible Tower 3.6.7-1 -

Red Hat Ansible Tower 3.6.7-1 - RHEL7 Container Red Hat Product Security has rated this update as having a security impact of Important

Summary

Security Fix(es):
* Addressed a security issue which can allow a malicious playbook author to elevate to the awx user from outside the isolated environment: CVE-2021-20253 * Upgraded to a more recent version of nginx to address CVE-2019-20372 * Upgraded to a more recent version of autobahn to address CVE-2020-35678 * Upgraded to a more recent version of jquery to address CVE-2020-11022 and CVE-2020-11023
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/ index.html

References

https://access.redhat.com/security/cve/CVE-2016-5766 https://access.redhat.com/security/cve/CVE-2018-20843 https://access.redhat.com/security/cve/CVE-2019-11719 https://access.redhat.com/security/cve/CVE-2019-11727 https://access.redhat.com/security/cve/CVE-2019-11756 https://access.redhat.com/security/cve/CVE-2019-12749 https://access.redhat.com/security/cve/CVE-2019-14866 https://access.redhat.com/security/cve/CVE-2019-15903 https://access.redhat.com/security/cve/CVE-2019-17006 https://access.redhat.com/security/cve/CVE-2019-17023 https://access.redhat.com/security/cve/CVE-2019-17498 https://access.redhat.com/security/cve/CVE-2019-19956 https://access.redhat.com/security/cve/CVE-2019-20372 https://access.redhat.com/security/cve/CVE-2019-20388 https://access.redhat.com/security/cve/CVE-2019-20907 https://access.redhat.com/security/cve/CVE-2020-1971 https://access.redhat.com/security/cve/CVE-2020-6829 https://access.redhat.com/security/cve/CVE-2020-7595 https://access.redhat.com/security/cve/CVE-2020-8177 https://access.redhat.com/security/cve/CVE-2020-10543 https://access.redhat.com/security/cve/CVE-2020-10878 https://access.redhat.com/security/cve/CVE-2020-11022 https://access.redhat.com/security/cve/CVE-2020-11023 https://access.redhat.com/security/cve/CVE-2020-12243 https://access.redhat.com/security/cve/CVE-2020-12400 https://access.redhat.com/security/cve/CVE-2020-12401 https://access.redhat.com/security/cve/CVE-2020-12402 https://access.redhat.com/security/cve/CVE-2020-12403 https://access.redhat.com/security/cve/CVE-2020-12723 https://access.redhat.com/security/cve/CVE-2020-35678 https://access.redhat.com/security/cve/CVE-2021-20178 https://access.redhat.com/security/cve/CVE-2021-20180 https://access.redhat.com/security/cve/CVE-2021-20191 https://access.redhat.com/security/cve/CVE-2021-20228 https://access.redhat.com/security/cve/CVE-2021-20253 https://access.redhat.com/security/updates/classification/#important

Package List


Severity
Advisory ID: RHSA-2021:0778-01
Product: Red Hat Ansible Tower
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0778
Issued Date: : 2021-03-09
CVE Names: CVE-2016-5766 CVE-2018-20843 CVE-2019-11719 CVE-2019-11727 CVE-2019-11756 CVE-2019-12749 CVE-2019-14866 CVE-2019-15903 CVE-2019-17006 CVE-2019-17023 CVE-2019-17498 CVE-2019-19956 CVE-2019-20372 CVE-2019-20388 CVE-2019-20907 CVE-2020-1971 CVE-2020-6829 CVE-2020-7595 CVE-2020-8177 CVE-2020-10543 CVE-2020-10878 CVE-2020-11022 CVE-2020-11023 CVE-2020-12243 CVE-2020-12400 CVE-2020-12401 CVE-2020-12402 CVE-2020-12403 CVE-2020-12723 CVE-2020-35678 CVE-2021-20178 CVE-2021-20180 CVE-2021-20191 CVE-2021-20228 CVE-2021-20253

Topic

Red Hat Ansible Tower 3.6.7-1 - RHEL7 ContainerRed Hat Product Security has rated this update as having a security impactofImportant. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

1790277 - CVE-2019-20372 nginx: HTTP request smuggling in configurations with URL redirect used as error_page

1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method

1850004 - CVE-2020-11023 jquery: Passing HTML containing

1911314 - CVE-2020-35678 python-autobahn: allows redirect header injection

1928847 - CVE-2021-20253 ansible-tower: Privilege escalation via job isolation escape


Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved