Synopsis
Important: Red Hat Ansible Tower 3.5.4-1 - RHEL7 Container
Type/Severity
Security Advisory: Important
Topic
Red Hat Ansible Tower 3.5.4-1 - RHEL7 Container
Description
- Added a command to generate a new SECRET_KEY and rekey the database
- Removed the guest user from the optionally-configured RabbitMQ admin interface (CVE-2019-19340)
- Fixed assorted issues with preserving permissions in the Ansible Tower backup playbook (CVE-2019-19341)
- Fixed a partial password disclosure when special characters existed in the RabbitMQ password (CVE-2019-19342)
- Fixed a file descriptor leak in the Tower service during project updates
- Fixed an issue where AUTHORIZATION_CODE_EXPIRE_SECONDS and ACCESS_TOKEN_EXPIRE_SECONDS were not properly honored
- Fixed an issue where some timezones in schedules could not be parsed
- Fixed isolated execution of playbooks with blanks in the filename
- Fixed saving of workflow extra_vars
- Updated Ansible Tower to disallow Jinja in inventory hostnames
- Updated analytics data collection to match Ansible Tower 3.6
- Updated bundled oVirt SDK to version 4.3.0
Solution
For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/index.html
Affected Products
-
Red Hat Ansible Tower 3.5 x86_64
Fixes
- BZ - 1782623 - CVE-2019-19342 Tower: special characters in RabbitMQ passwords causes web socket 500 error
- BZ - 1782624 - CVE-2019-19340 Tower: enabling RabbitMQ manager in the installer exposes the management interface publicly
- BZ - 1782625 - CVE-2019-19341 Tower: intermediate files during Tower backup are world-readable
CVEs
References
Vulmon