Synopsis
The remote Red Hat host is missing one or more security updates.
Description
The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:4693 advisory.
Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.
Security Fix(es):
* automation-eda-controller: token exposed at importing project (CVE-2023-4380)
* python3-cryptography/python39-cryptography: memory corruption via immutable objects (CVE-2023-23931)
* python3-django/python39-django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator (CVE-2023-36053)
* python3-requests/python39-requests: Unintended leak of Proxy-Authorization header (CVE-2023-32681)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional changes for Event-Driven Ansible:
* automation-eda-controller has been updated to 1.0.1
* Contributor and editor roles now have permissions to access users and set the AWX token. (AAP-11573)
* The onboarding wizard now requests controller token creation. (AAP-11907)
* Corrected the filtering capability of the Rule Audit screens so that a search yields results with the starts with function. (AAP-11987)
* Enabling or disabling rulebook activation no longer increases the restarts counter by 1. (AAP-12042)
* Filtering by a text string now displays all applicable items in the UI, including those that are not visible in the list at that time. (AAP-12446)
* Audit records are no longer missing when running activations with multiple jobs. (AAP-12522)
* The event payload is no longer missing key attributes when a job template fails. (AAP-12529)
* Fixed the Git token leak that occurs when importing a project fails. (AAP-12767)
* The restart policy in Kubernetes (k8s) now restarts successful activation that is incorrectly marked as failed. (AAP-12862)
* Activation statuses are now reported correctly, whether you are disabling or enabling them. (AAP-12896)
* When run_job_template action fails now, ansible-rulebook prints an error log in the activation output and creates an entry in rule audit so that the user is alerted that the rule has failed. (AAP-12909)
* When a user tries to bulk delete rulebook activations from the list, the request now completes successfully and consistently. (AAP-13093)
* The Rulebook Activation link now functions correctly in the Rule Audit Detail UI. (AAP-13182)
* Fixed a bug where ansible-rulebook prevented the execution, if the connection with the controller was not successful when controller was not required by the rulebook. (AAP-13209)
* Fixed a bug where some audit rule records had the wrong rulebook link. (AAP-13844)
* Fixed a bug where only the first 10 audit rules had the right link. (AAP-13845)
* Previously project credentials could not be updated if there was a change to the credential used in the project. Now credentials can be updated in a project with a new or different credential. (AAP-13983)
* The User Access section of the navigation panel no longer disappears after creating a decision environment. (AAP-14273)
* Fixed a bug where filtering for audit rules didn't work properly on OpenShift Container Platform.
(AAP-14512)
Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected packages.
Plugin Details
File Name: redhat-RHSA-2023-4693.nasl
Agent: unix
Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus
Risk Information
Vendor
Vendor Severity: Moderate
Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Threat Vector: CVSS:4.0/E:P
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Vulnerability Information
CPE: p-cpe:/a:redhat:enterprise_linux:python3-django, p-cpe:/a:redhat:enterprise_linux:python39-django, p-cpe:/a:redhat:enterprise_linux:python3x-cryptography, p-cpe:/a:redhat:enterprise_linux:python3x-django, p-cpe:/a:redhat:enterprise_linux:automation-eda-controller, cpe:/o:redhat:enterprise_linux:9, p-cpe:/a:redhat:enterprise_linux:python-django, p-cpe:/a:redhat:enterprise_linux:python3x-requests, p-cpe:/a:redhat:enterprise_linux:python39-cryptography, p-cpe:/a:redhat:enterprise_linux:python39-requests, p-cpe:/a:redhat:enterprise_linux:python-cryptography, p-cpe:/a:redhat:enterprise_linux:automation-eda-controller-ui, p-cpe:/a:redhat:enterprise_linux:python3-cryptography, cpe:/o:redhat:enterprise_linux:8, p-cpe:/a:redhat:enterprise_linux:automation-eda-controller-server
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
Exploit Ease: Exploits are available
Patch Publication Date: 8/21/2023
Vulnerability Publication Date: 2/7/2023