RHEL 8 / 9 : Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update (Moderate) (RHSA-2024:1640)

high Nessus Plugin ID 193086

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1640 advisory.

Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.

Security Fix(es):

* automation-controller: Django: denial-of-service in 'intcomma' template filter (CVE-2024-24680)
* automation-controller: aiohttp: http request smuggling (CVE-2024-23829)
* automation-controller: aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)
* automation-controller: Jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)
* automation-controller: cryptography: NULL-dereference when loading PKCS7 certificates (CVE-2023-49083)
* automation-controller: aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)
* automation-controller: Twisted: disordered HTTP pipeline response in twisted.web (CVE-2023-46137)
* automation-controller: axios: exposure of confidential data stored in cookies (CVE-2023-45857)
* automation-controller: GitPython: Blind local file inclusion (CVE-2023-41040)
* python3-aiohttp/python39-aiohttp: http request smuggling (CVE-2024-23829)
* python3-aiohttp/python39-aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)
* python3-django/python39-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words() (CVE-2024-27351)
* receptor: golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)
* receptor: golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Updates and fixes for automation controller:
* Fixed bug where schedule prompted variables and survey answers were reset on edit when changing one of the basic form fields (AAP-20967)
* Fixed the update execution environment image to no longer fail jobs that use the previous image (AAP-21733)
* Removed string validation using comparisons of English literals for comparison, replacing validation with error/op codes as a universal approach to validation and comparison (AAP-21721)
* Fixed dispatcher to appropriately terminate child processes when dispatcher terminates (AAP-21049)
* Fixed upgrade from Ansible Tower 3.8.6 to AAP 2.4 to no longer fail upon database schema migration (AAP-19738)
* automation-controller has been updated to 4.5.5

Updates and fixes for receptor:
* Fixes a receptor dialing issue where the connection attempt is timed out too aggressively (AAP-21838, AAP-21828)
* receptor has been updated to 1.4.5

Additional fixes:
* ansible-core has been updated to 2.15.10
* ansible-runner has been updated to 2.3.6
* python3-aiohttp/python39-aiohttp has been updated to 3.9.3
* python3-django/python39-django has been updated 4.2.11
* python3-pulpcore/python39-pulpcore has been updated 3.28.24

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://access.redhat.com/security/updates/classification/#moderate

https://bugzilla.redhat.com/show_bug.cgi?id=2246264

https://bugzilla.redhat.com/show_bug.cgi?id=2247040

https://bugzilla.redhat.com/show_bug.cgi?id=2248979

https://bugzilla.redhat.com/show_bug.cgi?id=2249825

https://bugzilla.redhat.com/show_bug.cgi?id=2253330

https://bugzilla.redhat.com/show_bug.cgi?id=2255331

https://bugzilla.redhat.com/show_bug.cgi?id=2257854

https://bugzilla.redhat.com/show_bug.cgi?id=2261856

https://bugzilla.redhat.com/show_bug.cgi?id=2261887

https://bugzilla.redhat.com/show_bug.cgi?id=2261909

https://bugzilla.redhat.com/show_bug.cgi?id=2262921

https://bugzilla.redhat.com/show_bug.cgi?id=2266045

http://www.nessus.org/u?c1d5f334

https://access.redhat.com/errata/RHSA-2024:1640

Plugin Details

Severity: High

ID: 193086

File Name: redhat-RHSA-2024-1640.nasl

Version: 1.2

Type: local

Agent: unix

Published: 4/9/2024

Updated: 11/7/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

Vendor

Vendor Severity: Moderate

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2024-23334

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.9

Threat Score: 8.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2023-49083

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:python3-django, p-cpe:/a:redhat:enterprise_linux:python3x-django, cpe:/o:redhat:enterprise_linux:9, p-cpe:/a:redhat:enterprise_linux:python39-aiohttp, p-cpe:/a:redhat:enterprise_linux:python-aiohttp, p-cpe:/a:redhat:enterprise_linux:python3-aiohttp, p-cpe:/a:redhat:enterprise_linux:python3x-aiohttp, p-cpe:/a:redhat:enterprise_linux:python-django, p-cpe:/a:redhat:enterprise_linux:receptor, p-cpe:/a:redhat:enterprise_linux:automation-controller-venv-tower, p-cpe:/a:redhat:enterprise_linux:receptorctl, p-cpe:/a:redhat:enterprise_linux:python39-django, cpe:/o:redhat:enterprise_linux:8

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/2/2024

Vulnerability Publication Date: 8/26/2023

Reference Information

CVE: CVE-2023-39326, CVE-2023-41040, CVE-2023-45857, CVE-2023-46137, CVE-2023-47627, CVE-2023-49083, CVE-2024-1394, CVE-2024-22195, CVE-2024-23334, CVE-2024-23829, CVE-2024-24680, CVE-2024-27351

CWE: 1333, 200, 22, 400, 401, 444, 476, 79

IAVA: 2024-A-0126

RHSA: 2024:1640