RHSA-2020:3328 - Security Advisory

Synopsis

Moderate: Red Hat Ansible Tower 3.7.2-1 - RHEL7 Container

Security Advisory: Moderate

Red Hat Ansible Tower 3.7.2-1 - RHEL7 Container

Updated Named URLs to allow for testing the presence or absence of objects (CVE-2020-14337)
Fixed Tower Server Side Request Forgery on Credentials (CVE-2020-14327)
Fixed Tower Server Side Request Forgery on Webhooks (CVE-2020-14328)
Fixed Tower sensitive data exposure on labels (CVE-2020-14329)
Added local caching for downloaded roles and collections so they are not re-downloaded on nodes where they have already been updated
Fixed Tower’s task scheduler to no longer deadlock for clustered installations with large numbers of nodes
Fixed the Credential Type definitions to no longer allow superusers to run unsafe Python code
Fixed credential lookups from CyberArk AIM to no longer fail unexpectedly
Fixed upgrades from 3.5 to 3.6 on RHEL8 in order for PostgreSQL client libraries to be upgraded on Tower nodes, which fixes the backup/restore function
Fixed backup/restore for PostgreSQL usernames that include capital letters
Fixed manually added host variables to no longer be removed on VMWare vCenter inventory syncs
Fixed Red Hat Satellite inventory syncs to allow Tower to properly respect the ``verify_ssl flag``

For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/index.html

BZ - 1856785 - CVE-2020-14327 Tower: SSRF: Server Side Request Forgery on Credential
BZ - 1856786 - CVE-2020-14328 Tower: SSRF: Server Side Request Forgery on webhooks
BZ - 1856787 - CVE-2020-14329 Tower: Sensitive Data Exposure on Label
BZ - 1859139 - CVE-2020-14337 Tower: Named URLs allow for testing the presence or absence of objects