Synopsis
Moderate: Red Hat Ansible Tower 3.7.2-1 - RHEL7 Container
Type/Severity
Security Advisory: Moderate
Topic
Red Hat Ansible Tower 3.7.2-1 - RHEL7 Container
Description
- Updated Named URLs to allow for testing the presence or absence of objects (CVE-2020-14337)
- Fixed Tower Server Side Request Forgery on Credentials (CVE-2020-14327)
- Fixed Tower Server Side Request Forgery on Webhooks (CVE-2020-14328)
- Fixed Tower sensitive data exposure on labels (CVE-2020-14329)
- Added local caching for downloaded roles and collections so they are not re-downloaded on nodes where they have already been updated
- Fixed Tower’s task scheduler to no longer deadlock for clustered installations with large numbers of nodes
- Fixed the Credential Type definitions to no longer allow superusers to run unsafe Python code
- Fixed credential lookups from CyberArk AIM to no longer fail unexpectedly
- Fixed upgrades from 3.5 to 3.6 on RHEL8 in order for PostgreSQL client libraries to be upgraded on Tower nodes, which fixes the backup/restore function
- Fixed backup/restore for PostgreSQL usernames that include capital letters
- Fixed manually added host variables to no longer be removed on VMWare vCenter inventory syncs
- Fixed Red Hat Satellite inventory syncs to allow Tower to properly respect the ``verify_ssl flag``
Solution
For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/index.html
Affected Products
-
Red Hat Ansible Tower 3.7 x86_64
Fixes
- BZ - 1856785 - CVE-2020-14327 Tower: SSRF: Server Side Request Forgery on Credential
- BZ - 1856786 - CVE-2020-14328 Tower: SSRF: Server Side Request Forgery on webhooks
- BZ - 1856787 - CVE-2020-14329 Tower: Sensitive Data Exposure on Label
- BZ - 1859139 - CVE-2020-14337 Tower: Named URLs allow for testing the presence or absence of objects
CVEs
References
Vulmon