Detections
Analytics

RHEL 8 / 9 : Red Hat Ansible Automation Platform 2.5 Product Security and Bug Fix Update (Moderate) (RHSA-2024:10766)

medium Nessus Plugin ID 212045

Language:

Synopsis

The remote Red Hat host is missing a security update.

Description

The remote Redhat Enterprise Linux 8 / 9 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:10766 advisory.

 Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.

 Security Fix(es):

 * automation-controller: aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions (CVE-2024-52304)

 For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

 Updates and fixes included:

 Automation controller
 * Fix job schedules running at incorrect times when rrule interval was set to HOURLY or MINUTELY (AAP-36572)
 * Fix bug where unrelated jobs could be marked as a dependency of other jobs (AAP-35309)
 * Include pod anti-affinity configuration on default containergroup pod spec to optimally spread workload (AAP-35055)
 * Updated the minor version of uWSGI to obtain updated log verbiage (AAP-33169)
 * automation-controller has been updated to 4.6.3

 Receptor
 * Fixed an issue that caused a Receptor runtime panic error (AAP-36476)
 * receptor has been updated to 1.5.1

 Container-based Ansible Automation Platform
 * With this update, you cannot change the postgresql_admin_username value when using a managed database node (AAP-36577)
 * Added update support for PCP monitoring role (AAP-36576)
 * With this update, ID and Image fields from a container image are used instead of Digest and ImageDigest to trigger a container update (AAP-36575)
 * Disabled platform gateway authentication in the proxy configuration to prevent HTTP 502 errors when the control plane is down (AAP-36484)
 * With this update, you can use dedicated nodes for the Redis group (AAP-36480)
 * Fixed an issue where disabling TLS on Automation Gateway would cause installation to fail (AAP-35966)
 * Fixed an issue where platform gateway uninstall would leave container systemd unit files on disk (AAP-35329)
 * Fixed an issue where disabling TLS on Automation Gateway proxy would cause installation to fail (AAP-35145)
 * With this update, you can now update the registry URL value in Event-Driven Ansible credentials (AAP-35085)
 * Fixed an issue where the automation hub container signing service creation failed when hub_collection_signing=false but hub_container_signing=true (AAP-34977)
 * Fixed an issue with the HOME environment variable for receptor containers which would cause a permission denied error on the containerized execution node (AAP-34945)
 * Fixed an issue where not setting up the GPG agent socket properly when multiple hub nodes are configured, resulted in not creating a GPG socket file in /var/tmp/pulp (AAP-34815)
 * With this update, you can now change the automation gateway port value after the initial deployment (AAP-34813)
 * With this update, the kernel.keys.maxkeys and kernel.keys.maxbytes settings are increased on systems with large memory configuration (AAP-34019)
 * Added ansible_connection=local to the inventory-growth file and clarified its usage (AAP-34016)
 * containerized installer setup has been updated to 2.5-6

 RPM-based Ansible Automation Platform
 * Receptor data directory can now be configured using 'receptor_datadir' variable (AAP-36697)
 * Disabled platform gateway authentication in the proxy configuration to allow access to UI when the control plane is down (AAP-36667)
 * Fixed an issue where the metrics-utility command failed to run after updating automation controller (AAP-36486)
 * Fix issue where the dispatcher service went into FATAL status and failed to process new jobs after a database outage of a few minutes (AAP-36457)
 * Fixed the owner and group permissions on the /etc/tower/uwsgi.ini file (AAP-35765)
 * With this update, you can now update the registry URL value in Event-Driven Ansible credentials (AAP-35162)
 * Fixed an issue where not having eda_node_type defined in the inventory file would result in backup failure (AAP-34730)
 * Fixed an issue where not having routable_hostname defined in the inventory file would result in a restore failure (AAP-34563)
 * With this update, the inventory-growth file is now included in the ansible-automation-platform-installer (AAP-33944)
 * ansible-automation-platform-installer and installer setup have been updated to 2.5-6

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected automation-controller-venv-tower package.

See Also

https://access.redhat.com/security/updates/classification/#moderate

https://bugzilla.redhat.com/show_bug.cgi?id=2327130

http://www.nessus.org/u?c7fc0e06

https://access.redhat.com/errata/RHSA-2024:10766

Plugin Details

Severity: Medium

ID: 212045

File Name: redhat-RHSA-2024-10766.nasl

Version: 1.1

Type: local

Agent: unix

Published: 12/4/2024

Updated: 12/4/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

Vendor

Vendor Severity: Moderate

CVSS v2

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4

Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2024-52304

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.3

Threat Score: 1.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:automation-controller-venv-tower, cpe:/o:redhat:enterprise_linux:8, cpe:/o:redhat:enterprise_linux:9

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 12/3/2024

Vulnerability Publication Date: 11/18/2024

Reference Information

CVE: CVE-2024-52304

CWE: 444

RHSA: 2024:10766