Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3535
security update - Red Hat Ansible Tower 3.7 runner release (CVE-2019-18874)
15 October 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat Ansible Tower
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Access Privileged Data -- Existing Account
Modify Permissions -- Remote with User Interaction
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-14365 CVE-2020-12403 CVE-2020-12402
CVE-2020-12401 CVE-2020-12400 CVE-2020-12243
CVE-2020-7595 CVE-2020-6829 CVE-2020-5313
CVE-2019-20388 CVE-2019-20386 CVE-2019-19956
CVE-2019-19126 CVE-2019-18874 CVE-2019-17546
CVE-2019-17498 CVE-2019-17023 CVE-2019-17006
CVE-2019-16935 CVE-2019-15903 CVE-2019-14973
CVE-2019-14866 CVE-2019-14822 CVE-2019-12749
CVE-2019-12450 CVE-2019-11756 CVE-2019-11727
CVE-2019-11719 CVE-2019-5482 CVE-2019-5188
CVE-2019-5094 CVE-2018-20843 CVE-2017-12652
Reference: ESB-2020.3461
ESB-2020.3364
ESB-2020.3355
ESB-2020.3352
ESB-2020.2650
ESB-2020.2162
ESB-2020.0471
ESB-2019.4645
ESB-2019.3441
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:4254
https://access.redhat.com/errata/RHSA-2020:4255
Comment: This bulletin contains two (2) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: security update - Red Hat Ansible Tower 3.7 runner release (CVE-2019-18874)
Advisory ID: RHSA-2020:4254-01
Product: Red Hat Ansible Tower
Advisory URL: https://access.redhat.com/errata/RHSA-2020:4254
Issue date: 2020-10-14
CVE Names: CVE-2017-12652 CVE-2018-20843 CVE-2019-5094
CVE-2019-5188 CVE-2019-5482 CVE-2019-11719
CVE-2019-11727 CVE-2019-11756 CVE-2019-12450
CVE-2019-12749 CVE-2019-14822 CVE-2019-14866
CVE-2019-14973 CVE-2019-15903 CVE-2019-16935
CVE-2019-17006 CVE-2019-17023 CVE-2019-17498
CVE-2019-17546 CVE-2019-18874 CVE-2019-19126
CVE-2019-19956 CVE-2019-20386 CVE-2019-20388
CVE-2020-5313 CVE-2020-6829 CVE-2020-7595
CVE-2020-12243 CVE-2020-12400 CVE-2020-12401
CVE-2020-12402 CVE-2020-12403 CVE-2020-14365
=====================================================================
1. Summary:
Red Hat Ansible Tower 3.7 runner release (CVE-2019-18874)
2. Description:
* Updated python-psutil version to 5.6.6 inside ansible-runner container
(CVE-2019-18874)
3. Solution:
For information on upgrading Ansible Tower, reference the Ansible Tower
Upgrade and Migration Guide:
https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/
index.html
4. Bugs fixed (https://bugzilla.redhat.com/):
1772014 - CVE-2019-18874 python-psutil: double free because of refcount mishandling
5. References:
https://access.redhat.com/security/cve/CVE-2017-12652
https://access.redhat.com/security/cve/CVE-2018-20843
https://access.redhat.com/security/cve/CVE-2019-5094
https://access.redhat.com/security/cve/CVE-2019-5188
https://access.redhat.com/security/cve/CVE-2019-5482
https://access.redhat.com/security/cve/CVE-2019-11719
https://access.redhat.com/security/cve/CVE-2019-11727
https://access.redhat.com/security/cve/CVE-2019-11756
https://access.redhat.com/security/cve/CVE-2019-12450
https://access.redhat.com/security/cve/CVE-2019-12749
https://access.redhat.com/security/cve/CVE-2019-14822
https://access.redhat.com/security/cve/CVE-2019-14866
https://access.redhat.com/security/cve/CVE-2019-14973
https://access.redhat.com/security/cve/CVE-2019-15903
https://access.redhat.com/security/cve/CVE-2019-16935
https://access.redhat.com/security/cve/CVE-2019-17006
https://access.redhat.com/security/cve/CVE-2019-17023
https://access.redhat.com/security/cve/CVE-2019-17498
https://access.redhat.com/security/cve/CVE-2019-17546
https://access.redhat.com/security/cve/CVE-2019-18874
https://access.redhat.com/security/cve/CVE-2019-19126
https://access.redhat.com/security/cve/CVE-2019-19956
https://access.redhat.com/security/cve/CVE-2019-20386
https://access.redhat.com/security/cve/CVE-2019-20388
https://access.redhat.com/security/cve/CVE-2020-5313
https://access.redhat.com/security/cve/CVE-2020-6829
https://access.redhat.com/security/cve/CVE-2020-7595
https://access.redhat.com/security/cve/CVE-2020-12243
https://access.redhat.com/security/cve/CVE-2020-12400
https://access.redhat.com/security/cve/CVE-2020-12401
https://access.redhat.com/security/cve/CVE-2020-12402
https://access.redhat.com/security/cve/CVE-2020-12403
https://access.redhat.com/security/cve/CVE-2020-14365
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBX4b3jtzjgjWX9erEAQjRtA/+NuWhg8wJyyX3K9r+pNveW/nQ5035IIJ0
T9qelqFlkxoGgUQE2bL+a58naneN4iyfnadC/eFL/39AJRF5jfiuctGZngY5Tyva
2aboBMg6P+zHW30YPBJrXiPAVyD46+N5/xGqaiY6G1w2NseBGrCmojfi4towIy+6
HOlaQE6vrb3DGnT4Yda14qqjvZm0mrZKii7+wQWYLkQYYbbEiTQ9LlNl9u4Gor9K
SO4C1l1Y+H1DUMYOlr7liImnIVhIB7jMrZYAbQCSyOTYRw62S2Zu1LJ+6IVzyOlx
6SU2xNT0d22iW0cMpcdzAAdwBhZqshxSp39MBdoVkvQyIemUsxfIp1V93u4n8mPB
qHnEV27f1D1UeTIxiyMvDIaJPAdt2ptYMmR9QT31fxNZBwjGoNNqF2CtqlHQ2zpU
CnMsxTZAGnGyINE80Gye/kXixIoMilVQ9UPuMEX4UgIh+hY36HwmwkbqeRciB3L7
UoZt++XFPFStHrv7VI/69tjwkQ660Y81CQC8j3ny/AL1U4Fkgn8x2FoaqaRBlr+C
OLn1IWZTvcwvJhHV6N1CIsK3kkwNmpIvTbxFY16jB9JPHkvJd8PA/JjG9ODgPzHq
jh+M6jbrYBw4d43eiBIwAVR8gLG0Fa57eX5uEGHUtTiVeF26xE+QvHhH58nYuCce
k2HRS+OVADU=
=MG4c
- -----END PGP SIGNATURE-----
- ------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: security update - Red Hat Ansible Tower 3.6 runner release (CVE-2019-18874)
Advisory ID: RHSA-2020:4255-01
Product: Red Hat Ansible Tower
Advisory URL: https://access.redhat.com/errata/RHSA-2020:4255
Issue date: 2020-10-14
CVE Names: CVE-2017-12652 CVE-2018-20843 CVE-2019-5094
CVE-2019-5188 CVE-2019-5482 CVE-2019-11719
CVE-2019-11727 CVE-2019-11756 CVE-2019-12450
CVE-2019-12749 CVE-2019-14822 CVE-2019-14866
CVE-2019-14973 CVE-2019-15903 CVE-2019-16935
CVE-2019-17006 CVE-2019-17023 CVE-2019-17498
CVE-2019-17546 CVE-2019-18874 CVE-2019-19126
CVE-2019-19956 CVE-2019-20386 CVE-2019-20388
CVE-2020-5313 CVE-2020-6829 CVE-2020-7595
CVE-2020-12243 CVE-2020-12400 CVE-2020-12401
CVE-2020-12402 CVE-2020-12403 CVE-2020-14365
=====================================================================
1. Summary:
Red Hat Ansible Tower 3.6 runner release (CVE-2019-18874)
2. Description:
* Updated python-psutil version to 5.6.6 inside ansible-runner container
(CVE-2019-18874)
3. Solution:
For information on upgrading Ansible Tower, reference the Ansible Tower
Upgrade and Migration Guide:
https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/
index.html
4. Bugs fixed (https://bugzilla.redhat.com/):
1772014 - CVE-2019-18874 python-psutil: double free because of refcount mishandling
5. References:
https://access.redhat.com/security/cve/CVE-2017-12652
https://access.redhat.com/security/cve/CVE-2018-20843
https://access.redhat.com/security/cve/CVE-2019-5094
https://access.redhat.com/security/cve/CVE-2019-5188
https://access.redhat.com/security/cve/CVE-2019-5482
https://access.redhat.com/security/cve/CVE-2019-11719
https://access.redhat.com/security/cve/CVE-2019-11727
https://access.redhat.com/security/cve/CVE-2019-11756
https://access.redhat.com/security/cve/CVE-2019-12450
https://access.redhat.com/security/cve/CVE-2019-12749
https://access.redhat.com/security/cve/CVE-2019-14822
https://access.redhat.com/security/cve/CVE-2019-14866
https://access.redhat.com/security/cve/CVE-2019-14973
https://access.redhat.com/security/cve/CVE-2019-15903
https://access.redhat.com/security/cve/CVE-2019-16935
https://access.redhat.com/security/cve/CVE-2019-17006
https://access.redhat.com/security/cve/CVE-2019-17023
https://access.redhat.com/security/cve/CVE-2019-17498
https://access.redhat.com/security/cve/CVE-2019-17546
https://access.redhat.com/security/cve/CVE-2019-18874
https://access.redhat.com/security/cve/CVE-2019-19126
https://access.redhat.com/security/cve/CVE-2019-19956
https://access.redhat.com/security/cve/CVE-2019-20386
https://access.redhat.com/security/cve/CVE-2019-20388
https://access.redhat.com/security/cve/CVE-2020-5313
https://access.redhat.com/security/cve/CVE-2020-6829
https://access.redhat.com/security/cve/CVE-2020-7595
https://access.redhat.com/security/cve/CVE-2020-12243
https://access.redhat.com/security/cve/CVE-2020-12400
https://access.redhat.com/security/cve/CVE-2020-12401
https://access.redhat.com/security/cve/CVE-2020-12402
https://access.redhat.com/security/cve/CVE-2020-12403
https://access.redhat.com/security/cve/CVE-2020-14365
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBX4b4vdzjgjWX9erEAQjk/hAApmlcS3Idp8diNh7ru3+06bEjVkPtOyrZ
dc6N3l7kQCYemU1Pkl6i17nNdDjojh2wHku3s7WFXfOmvpkfLlgTKykqmKTZ2pGd
InriBhIYXxxq/XKOHr+9BwshJ+PaXqEaoLea1wvJw7WmbY2zJfUCzu6DAugjg+DO
OvkOcA1hDbTkrFFH+SzhPpvsjB/xrfJecJxhj7LCZnmRvr3+fpdoMkEgfbEzjkXP
WeQVpAidrUhgt4+N9UuVqLYzbrV2sQHgda/A4W/XYJPD5uC+hSGWmhyiETdxPCAo
GbXV/11vySFaMxD912cxMUU35V0AW9LCOn1goA2bZt9WFW2poL3u6RmY/lRArtKH
53i3jU4PPevSaqjUSlIhkojWc9Ce1LaIRGlN8xXJuX6wX7d+Hs5VNuNMObhM0LO/
cBwSRDlEYj7YNXtTj7SiZC/a1OT+Nn96a23mxzfcl+2eXOKf0hPwCDU3nxSIVUKP
PR7ic/T/f46fi/v+ILMocuMAF/7j9eABnQf7f3uoB7lLUwML9mXvLpqXbNtAOmlN
aevFw43HBY3E8uHCb3Zw18SDzNXun40HQ0YQ3jjVumCWfpFh6dbtxm3S55YrpK/U
3cAm9qD+mS+u8GcJzc52o+kaI1wu5uuCMXQDb50kj+kyqPdC6+Upehasxscm12UB
fQ+WwvltUZg=
=C1/t
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX4eIDuNLKJtyKPYoAQhi7w/+LKSTBS0hcVH2ViTR07ZQb1Wuc12+j0HW
K4v5rbJL/KDlcBj52athxTQRHPjBZFyvqfNWWXO/bRMU3fUeJLTEczPK8CJZSktQ
NfdgkcB0Ch+YW7DQZXux1Ix/4RLuptpALrt60x312iICtu5zQ/cF0PUgFRgJ+7LN
GeXHnv2WvXa3Hxei/yM3xm6FRv935DMR6HPRSNVtJ62Gvm4zZdsX2a0N8dIDKpgy
MrEH8lWWa2yq1FFFZ92uqj3G9938SFGIL7UiLJ2Sx6dNuC61W4B3uzNLJluGBJ2j
vYuaBVYgHMfFdXm2jzhajo4JLK6tgFhAKM3Nm/Vp7Tdd3VUUUDI+e6gbpHjUp2sa
83uVj4rwFVe5HAecTomjJv7JbCg47zNlyepEVLJiVEe+A13TiiQ+0NTijnF4Tzud
NZ41wNK3pJVZ7oRtaNupYMXLddfBxNwjiafWY1HRw83JRCKk5PCMFGWnwE8cwiNe
Kg3SGHkEn9F0beGYgrIf9oM6IIAQFMRO4mkymK4dLsyFeIcLF+G/A6PvPI/mUR2F
ELuide3wrjqUqzpA6h8e+RbxAFgk7x1RUVEBhNO0JorpOpGNIHKOhEbMR7cVqayA
kDJ2yO5D1hjGkuqwdrBR85gz8SVo+yVPqRxHHvjpjLJsZwvyjhQ/9iyHnngrbdBb
Ij8pOoNHnZ4=
=cHsx
-----END PGP SIGNATURE-----