- Issued:
- 2020-08-05
- Updated:
- 2020-08-05
RHSA-2020:3329 - Security Advisory
Synopsis
Moderate: Red Hat Ansible Tower 3.6.5-1 - RHEL7 Container
Type/Severity
Security Advisory: Moderate
Topic
Red Hat Ansible Tower 3.6.5-1 - RHEL7 Container
Description
- Removed reports option for Satellite inventory script
- Fixed Tower Server Side Request Forgery on Credentials (CVE-2020-14327)
- Fixed the ``Job Type`` field to render properly when editing a Job Template
- Fixed a notable delay running large project update clones
- Fixed Tower to properly sync host facts for Red Hat Satellite 6.7 inventories
- Fixed installations on Red Hat OpenShift 4.3 to no longer fail
- Fixed the usage of certain SSH keys on RHEL8 when FIPS is enabled to work properly
- Fixed upgrades from 3.5 to 3.6 on RHEL8 in order for PostgreSQL client libraries to be upgraded on Tower nodes, which fixes the backup/restore function
- Fixed credential lookups from CyberArk AIM to no longer fail unexpectedly
- Fixed the ability to add a user to an organization when they already had roles in the organization
- Fixed manually added host variables to no longer be removed on VMWare vCenter inventory syncs
- Fixed a number of issues related to Tower’s reporting of metrics to Red Hat Automation Analytics
Solution
For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/index.html
Affected Products
- Red Hat Ansible Automation Platform Text-Only Advisories for RHEL 7 x86_64
Fixes
- BZ - 1856785 - CVE-2020-14327 Tower: SSRF: Server Side Request Forgery on Credential
CVEs
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.