Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2693
Red Hat Ansible Tower - RHEL7 Container
6 August 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat Ansible Tower
Publisher: Red Hat
Operating System: Red Hat
Red Hat Enterprise Linux Server 7
Red Hat Enterprise Linux WS/Desktop 7
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-14337 CVE-2020-14329 CVE-2020-14328
CVE-2020-14327
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:3328
https://access.redhat.com/errata/RHSA-2020:3329
Comment: This bulletin contains two (2) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat Ansible Tower 3.7.2-1 - RHEL7 Container
Advisory ID: RHSA-2020:3328-01
Product: Red Hat Ansible Tower
Advisory URL: https://access.redhat.com/errata/RHSA-2020:3328
Issue date: 2020-08-05
CVE Names: CVE-2020-14327 CVE-2020-14328 CVE-2020-14329
CVE-2020-14337
=====================================================================
1. Summary:
Red Hat Ansible Tower 3.7.2-1 - RHEL7 Container
2. Description:
* Updated Named URLs to allow for testing the presence or absence of
objects (CVE-2020-14337)
* Fixed Tower Server Side Request Forgery on Credentials (CVE-2020-14327)
* Fixed Tower Server Side Request Forgery on Webhooks (CVE-2020-14328)
* Fixed Tower sensitive data exposure on labels (CVE-2020-14329)
* Added local caching for downloaded roles and collections so they are not
re-downloaded on nodes where they have already been updated
* Fixed Towerâ\x{128}\x{153}s task scheduler to no longer deadlock for clustered
installations with large numbers of nodes
* Fixed the Credential Type definitions to no longer allow superusers to
run unsafe Python code
* Fixed credential lookups from CyberArk AIM to no longer fail unexpectedly
* Fixed upgrades from 3.5 to 3.6 on RHEL8 in order for PostgreSQL client
libraries to be upgraded on Tower nodes, which fixes the backup/restore
function
* Fixed backup/restore for PostgreSQL usernames that include capital
letters
* Fixed manually added host variables to no longer be removed on VMWare
vCenter inventory syncs
* Fixed Red Hat Satellite inventory syncs to allow Tower to properly
respect the ``verify_ssl flag``
3. Solution:
For information on upgrading Ansible Tower, reference the Ansible Tower
Upgrade and Migration Guide:
https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/
index.html
4. Bugs fixed (https://bugzilla.redhat.com/):
1856785 - CVE-2020-14327 Tower: SSRF: Server Side Request Forgery on Credential
1856786 - CVE-2020-14328 Tower: SSRF: Server Side Request Forgery on webhooks
1856787 - CVE-2020-14329 Tower: Sensitive Data Exposure on Label
1859139 - CVE-2020-14337 Tower: Named URLs allow for testing the presence or absence of objects
5. References:
https://access.redhat.com/security/cve/CVE-2020-14327
https://access.redhat.com/security/cve/CVE-2020-14328
https://access.redhat.com/security/cve/CVE-2020-14329
https://access.redhat.com/security/cve/CVE-2020-14337
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXyrHBdzjgjWX9erEAQgLIg/7B7BH4F4OJ1pVOotbXrBG0xtkzBLi2vm1
q1Djb6jZWXB9wGOLCWYZC2U7x7kr+T2gjM+Sa3NH1V+wWHn5kEqm+rMioCx5UQd6
18myFb1lGDM/MzaZi8Ovh1EADrFn4QoiTeKoRxc3TIl6bW4M303P3zUTu8N9EtOk
ddk5uV+oWtIND5m5m0uuYCNGqPOm4fwKk4H1oovCKQEGnOdy1H4dOV+mBpOfj3KS
NWqa0vPIjcWXcMR+qgDJmq1q8+56yg7CPwEsa70cU+aV8QZdS8pcK3CZ5ZsNdCyj
Fk+H5mIFmSUTAZX7fBpEljhXaLIzZXAAruHUwwnCJYRa1rq/P0fD8vv+z5vWWb9w
Ige13tCL63KmCHniGDu1FLi9gx/TIO04Arx295jFyUQNLu7NmtK/BGSanJEJ8G9A
g+BumOymOJTnBqNGc0hdD67e0eCTWAVwPvo9uaNccfD0bQNAKaxVwwJmJRG3xukS
Ru/8HGgr+ujz+vW2Ly49JIXWzVoLaWzZgv5LZAeIJToXRS5fkabcTqO1aCYa0+JA
qx7JVYa01o+yUv2cLjFZKHgXFTL41U/gPQ6LTsloFOdGsNmHYmwxkxTLXGNmVCj1
wPQDILeMYeyTsg9SvfVXzhs6TCeWBtudllHaoduoygT+AwaHw0wLxhkwgpCpubqa
MLz0UhqOJEU=
=0wzO
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat Ansible Tower 3.6.5-1 - RHEL7 Container
Advisory ID: RHSA-2020:3329-01
Product: Red Hat Ansible Tower
Advisory URL: https://access.redhat.com/errata/RHSA-2020:3329
Issue date: 2020-08-05
CVE Names: CVE-2020-14327
=====================================================================
1. Summary:
Red Hat Ansible Tower 3.6.5-1 - RHEL7 Container
2. Description:
* Removed reports option for Satellite inventory script
* Fixed Tower Server Side Request Forgery on Credentials (CVE-2020-14327)
* Fixed the ``Job Type`` field to render properly when editing a Job
Template
* Fixed a notable delay running large project update clones
* Fixed Tower to properly sync host facts for Red Hat Satellite 6.7
inventories
* Fixed installations on Red Hat OpenShift 4.3 to no longer fail
* Fixed the usage of certain SSH keys on RHEL8 when FIPS is enabled to work
properly
* Fixed upgrades from 3.5 to 3.6 on RHEL8 in order for PostgreSQL client
libraries to be upgraded on Tower nodes, which fixes the backup/restore
function
* Fixed credential lookups from CyberArk AIM to no longer fail unexpectedly
* Fixed the ability to add a user to an organization when they already had
roles in the organization
* Fixed manually added host variables to no longer be removed on VMWare
vCenter inventory syncs
* Fixed a number of issues related to Towerâ\x{128}\x{153}s reporting of metrics to Red
Hat Automation Analytics
3. Solution:
For information on upgrading Ansible Tower, reference the Ansible Tower
Upgrade and Migration Guide:
https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/
index.html
4. Bugs fixed (https://bugzilla.redhat.com/):
1856785 - CVE-2020-14327 Tower: SSRF: Server Side Request Forgery on Credential
5. References:
https://access.redhat.com/security/cve/CVE-2020-14327
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXyrG7tzjgjWX9erEAQjTpA/9EkZENU9KqxjLw4K1CynuMe4NmCMsphgJ
K8PPdrQNcGbZyAdFPoX0c1zzHWsEFJ8pcwGN4zO+qh3lpm2AuxJ3xiz8JRNMy62o
87qoVUbuP1RSWlkdkldK49j3XQcYs2LzWaokM9Y5H/wRGfaRDhg3Og4pOH4Lnkqi
GK8UGLcxFkS0MCkIad7Uh0MrcvQ/5h3ijD9xWdg4/R2AxvOqn2RoW26clPJOZLVB
QCP04WyUascWjBQBZHNBfdPqvJ1CfGrHnXcnRpNF7GdSPjCWtRBS9OyMjFVDz2a/
9TA5WflLRhtVxB2FEFxeStewSsv9zOwSbu44Lf/6SDr1HlpKDR8PcViIlM+X6+N0
H1AevHi3H/uXTpGTLlTBlXG1BcJ8VGgP4FTu5N4y1gCoO7dAKyD1uMrDNAE3U5o0
bnNDo6nG2zJ9OuVgBEzyGUzxsX41mfRYs6dV/0hiKfzX7ZBu2tckLRUmGX0itLhT
iiDUuDdffjBkUXRqYifBsW3cUttwR/nvFFLGyZMXLDJasd1YV2p4hXfto1rsUui/
XMVSJ+UrmqsLgmzlSnzM7w/HfheUy8+3xBJyVUUB7vHPM8Ajo29yLauCkGXl70T3
Dqv0lC4dD76a4d8KcVZPghW2benk5cIeYVSD94EnzllEje4pesS9p0eSqmQC7Amd
F44f3+Z1Q9Y=
=1XgD
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXyuZZ+NLKJtyKPYoAQjBjxAAoOgUiBnbplEMq7PYEaFYctuXQ4vgCLap
6NceuFatkf45a3iED4tC83ErrSL0c7Bwmte2HT6wrLN9B6R3Nwzns1iRWQi6+Kbt
rxLnuDSYIP4sRCO2Gim2B+vmKHbtAwvhJv7QTm6tfehw7CmGw1wd7QAMP0rKafGI
aby0CycT3BcRR9Pw8+CQHVkLhCoy8yTvHXkVYmgZwwV64mJhMcL7x31rG0Z1GeqF
Q3YuxbxNFVszhQiCAcFWMFSuZMD+bbDkCaHTrVL2DiQU5hvOCu19y0dB1DUr/bCE
aFppie2SCiRWm50Y/pBy4b749m7SmrC3E/bWShvIU1B8P6tkqLi/ACWMGkFcYy3D
EtM/BrGnsPsrolQS/z47D+f/D+hutrJ41anaMQ6bTOzQ8D8fd/J1lClxPHhFRvjs
PTZhg6lyLtd6Oqw8E1iC8Ph0pJbVWGB7z4V07IxAbTp1CZm4A+ygPd12FEX68PRj
QgzZut6Lhit+kg+nrX4wLMBLiKzIVA4FMRHMrI/fuGK6amFyijumepHi05ik7uze
oWkNm+LnqtbqCkncWZQgEqNKq4KEnaE+0aU42O+qzwQJXcPUjSLys+tM9WebM0XG
OtdtM9zPuAH7fgOiZ2dBEb9zPFJAlQ10LRTUK+k0Hul23gglScpqsDtoW2Y1tFLl
H2rZDOdMdKA=
=MoQy
-----END PGP SIGNATURE-----