Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2138 security update - Red Hat Ansible Tower 3.7.1-1 - RHEL7 Container 19 June 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Ansible Tower 3.7.1-1 Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux WS/Desktop 7 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-10782 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:2617 Comment: This advisory references vulnerabilities in products which run on platforms other than Red Hat. It is recommended that administrators running Red Hat Ansible Tower 3.7.1-1 check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: security update - Red Hat Ansible Tower 3.7.1-1 - RHEL7 Container Advisory ID: RHSA-2020:2617-01 Product: Red Hat Ansible Tower Advisory URL: https://access.redhat.com/errata/RHSA-2020:2617 Issue date: 2020-06-18 CVE Names: CVE-2020-10782 ===================================================================== 1. Summary: Red Hat Ansible Tower 3.7.1-1 - RHEL7 Container 2. Description: * Updated rsyslog integration to not write world-readable configuration files (CVE-2020-10782) * Updated the included foreman/satellite inventory plugin to add the host_filters and want_ansible_ssh_host options * Updated Foreman/Satellite inventory to properly use group_prefix for all groups * Updated the Satellite inventory script to disable the reports option * Updated bundled installer to properly include all dependencies * Updated translations * Fixed the all_parents_must_converge property of workflow nodes to set properly * Fixed labels so organization administrators could remove them from a workflow * Fixed Mattermost workflow approval notifications * Fixed the notifications for management jobs so administrators could enable it * Fixed event processing for inventories with very large numbers of hosts to prevent Tower to slow down * Fixed the VMware inventory to properly detect the Instance UUID to no longer cause hosts to be removed and re-added * Fixed (reverted) a change to follow symlinks when discovering playbooks, as it could lead to an infinite loop * Fixed analytics gathering to not attempt to gather data if there is not a valid configuration for sending it * Fixed Tower to no longer break when virtual environments are created with incorrect permissions * Fixed the Sumologic logging integration associated with parsing the URL path * Fixed incorrectly configured logging so that it would no longer block Tower operation * Fix multiple websocket broadcast issues in OpenShift * Fixed instance registration in OpenShift * Fixed an issue where the redis socket in OpenShift deployments was world-writable 3. Solution: For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/ index.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1847843 - CVE-2020-10782 Tower: rsyslog configuration has world readable permissions 5. References: https://access.redhat.com/security/cve/CVE-2020-10782 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXuwbW9zjgjWX9erEAQg/hQ/+MOiAIlbl+dqYgVLXPr4b0FSaPOKdJgSe oB4vD+ODM3Yi0k5arGI7Rm8FXjcqwImMK0Ls7bytfiI+4GMJ+v40G1KVOokB3Pk5 tkW0wMQgJNkUyapbg9Gb3MPVfqhl6JJkst8BtkTlLKJCQrBUrAroiiXMB/jqeWUP 0drAKAQbvHwGpWqKlRL91Da+epp5WPQziKd/8IGVI6YfMPq2XH7LvMGnk0Rxtdi6 Us7P1ni/Mam89z4urY+1iczuXXKg6+7Fyk/Sz97JlTdr6gICX07IA/f9nL915lNZ MhZMszCQ/JCQaD7t3bvMQVyykf+t043PQT+Ev3fFnn8NFjr18tjsadNntHVchgA4 txjwM5AeYk/m7Y+l/KHKfkoGI8tzOqhswM4moolD0a22hc95ltZcXU5kWQ37ynJt rtl4dpdZ5hczuHjk1OKW4yWYrlwoUvkdhj9/X747kxN3TIcPDfISBGQWzzIaPsZb 2iwmJaj4YmCK4FL4YezrfvdKu3tATkg2AazfQ/2g4PMOp3Ml+psSQQ9cQfNUd66K 4V4MvIChIhZtVF0tKhU+Kl+dRx5z2KZx9KtpYccJMZoAFyj3m+yJY+7FzyU1t+nJ /+onhc8h7zofCibdebVklktaX2y523DRYm3IX8TaMcrgEkts4tG1IzFDFJoAjyWx taXBNpj+AAk= =H5yf - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXuw3PuNLKJtyKPYoAQiaPg//QjVWhiF4k2TGhjJaUJVn9GFKcgaidp8Y vBuAvgNKHy/ljS0JesfdaQXx7b5wCug2ucfSgMcB1YFuSRNcpLVqvhr8FxXdZYrG p+HSpoxOgfIV3gEJqenrGCq2TMmP/VLzqDeAN+nvvme+hUYqa1KLBx0e7CKKuuwp UJKT5lm3s9zFNh0gJN6aJ0S8lcBGMVPd+dRuXtwctMTk1MzfZRpTBdoYyntQh4b6 6OhLUeylc83ctMb+icnKy29wnkYsYQIvCSr6/SLnXYe99tSqSPMiKh9rckUANy9R 1ECNBbARNXoaiD6Jds6BrTQaT26Xk0i++IuF1te2ROIRjHEjRR2hH45Tt4lah31S Mp7weitiuI4ZcBwwGnY6iXwtOqskr4c4IfhJUHyc99ZitDRS+3x3YJGlK9juSyo8 CqR0Joauz2YGXc5FQr4vd5i3DWGLT4Ad4ET17QYgxRd6eIb+mPgy4FbVE0xBKFdA /o6fBzbCs3+lkfUgAzMLAMzBPUNaYdiOzwqXUAzeeRjwCoPOfXVeeP6iSccn3BZo tG/miLx/Ce5mG62Zbu0+0dF3gPcsGHcKYpkov++rdUscoqdBeUjCtHQ67f998JD1 lRwDfmUBgrHIpp+Ti2tySf1/ndhxGyO3IARm/dgxRbUoqB7xU67QaIJ3MISRMg2H hribAxesbA4= =2K0O -----END PGP SIGNATURE-----