Red Hat Product Errata RHSA-2023:5701 - Security Advisory
Issued:
2023-10-16
Updated:
2023-10-16

RHSA-2023:5701 - Security Advisory

Synopsis

Moderate: Red Hat Ansible Automation Platform 2.3 Product Security and Bug Fix Update

Type/Severity

Security Advisory: Moderate

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat Ansible Automation Platform 2.3

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.

Security Fix(es):

  • ansible-core: malicious role archive can cause ansible-galaxy to overwrite arbitrary files (CVE-2023-5115)
  • automation-controller: Django: Potential denial of service vulnerability in django.utils.encoding.uri_to_iri() (CVE-2023-41164)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional changes:

  • ansible-core has been updated to 2.14.11
  • automation-controller has been updated to 4.3.16

Solution

Red Hat Ansible Automation Platform

Affected Products

  • Red Hat Ansible Automation Platform 2.3 for RHEL 9 x86_64
  • Red Hat Ansible Automation Platform 2.3 for RHEL 8 x86_64
  • Red Hat Ansible Inside 1.1 for RHEL 9 x86_64
  • Red Hat Ansible Inside 1.1 for RHEL 8 x86_64
  • Red Hat Ansible Developer 1.0 for RHEL 9 x86_64
  • Red Hat Ansible Developer 1.0 for RHEL 8 x86_64

Fixes

  • BZ - 2233810 - CVE-2023-5115 Ansible: malicious role archive can cause ansible-galaxy to overwrite arbitrary files
  • BZ - 2237258 - CVE-2023-41164 python-django: Potential denial of service vulnerability in ``django.utils.encoding.uri_to_iri()``

Red Hat Ansible Automation Platform 2.3 for RHEL 9

SRPM
ansible-core-2.14.11-1.el9ap.src.rpm SHA-256: baae07c6f7ddaf62454a80639c6c7d897814aa7688d92760a11b664ea4af926f
automation-controller-4.3.16-1.el9ap.src.rpm SHA-256: e6183221fa3cbf741619ae30352b04ef93b809be7d296c5aad6cb0eb8de31636
x86_64
ansible-core-2.14.11-1.el9ap.x86_64.rpm SHA-256: b23fd05dfa763728555f5855d4026c24d30778ea7bab0a0ecf1280ef0cb7c8cc
ansible-test-2.14.11-1.el9ap.x86_64.rpm SHA-256: beeabfef45eac30c668e0599949a5e335ff5276d90643e987329d3bb609c8ecf
automation-controller-4.3.16-1.el9ap.x86_64.rpm SHA-256: 9e63e194c92019097cef7a17846f03e272604cfdfb9d67fd9ee8e0f15c9b5674
automation-controller-cli-4.3.16-1.el9ap.x86_64.rpm SHA-256: a959c5652be9095b029a3e596a1c61e70afe89d6a1946921091e0f264712fa6b
automation-controller-server-4.3.16-1.el9ap.x86_64.rpm SHA-256: bd57d4ea409db7bc69713cb59450d3b315107a24399b008c954bc7e47358ac4e
automation-controller-ui-4.3.16-1.el9ap.x86_64.rpm SHA-256: 62035364580ae3e8ca99be1e74165b66baf2794a413277faedc7fe98acd461d8
automation-controller-venv-tower-4.3.16-1.el9ap.x86_64.rpm SHA-256: ea3021348e1569805445bf45ae95d570106288d87682a6c6808d3308bd214e35

Red Hat Ansible Automation Platform 2.3 for RHEL 8

SRPM
ansible-core-2.14.11-1.el8ap.src.rpm SHA-256: 5f9a2bfedf16e6e49316ced353f9b8940e559611f841900f54260afef76360fe
automation-controller-4.3.16-1.el8ap.src.rpm SHA-256: 305ab348cdf4cdbe9b7880ee9e0fd21f7b103a7d3f93093b8f5ac0b62ee12874
x86_64
ansible-core-2.14.11-1.el8ap.x86_64.rpm SHA-256: 5a93e09eb5035c62eec02bd66b84f62d1a9e6c1cf4d6aaff58de8bbbfd1ed884
ansible-test-2.14.11-1.el8ap.x86_64.rpm SHA-256: 17c067594c077ef809fbc6de678741f9bfedc56278c68655cd093b0d5f64cb72
automation-controller-4.3.16-1.el8ap.x86_64.rpm SHA-256: 8e2f1da5e1bcd488acb0bcb354a76d7e2e27a89512766f5c9f5594383ee58ee1
automation-controller-cli-4.3.16-1.el8ap.x86_64.rpm SHA-256: 82a221e9eec7877a7eab694b0df793f6afa4605fb1174c5e466f12bceb120f03
automation-controller-server-4.3.16-1.el8ap.x86_64.rpm SHA-256: a63588f8ffd3ca737a43bd46d57c467ca158e98d82279cb0d749ad3059d7a2e6
automation-controller-ui-4.3.16-1.el8ap.x86_64.rpm SHA-256: db6050e103f988051689c9d6fb82c200167808b1d270e16e5f518b1de8698c5d
automation-controller-venv-tower-4.3.16-1.el8ap.x86_64.rpm SHA-256: 8ddfd60a6e36ec918a0b699466998e2f8e156c0b5ddc21991a23bf1f312211bb

Red Hat Ansible Inside 1.1 for RHEL 9

SRPM
ansible-core-2.14.11-1.el9ap.src.rpm SHA-256: baae07c6f7ddaf62454a80639c6c7d897814aa7688d92760a11b664ea4af926f
x86_64
ansible-core-2.14.11-1.el9ap.x86_64.rpm SHA-256: b23fd05dfa763728555f5855d4026c24d30778ea7bab0a0ecf1280ef0cb7c8cc

Red Hat Ansible Inside 1.1 for RHEL 8

SRPM
ansible-core-2.14.11-1.el8ap.src.rpm SHA-256: 5f9a2bfedf16e6e49316ced353f9b8940e559611f841900f54260afef76360fe
x86_64
ansible-core-2.14.11-1.el8ap.x86_64.rpm SHA-256: 5a93e09eb5035c62eec02bd66b84f62d1a9e6c1cf4d6aaff58de8bbbfd1ed884

Red Hat Ansible Developer 1.0 for RHEL 9

SRPM
ansible-core-2.14.11-1.el9ap.src.rpm SHA-256: baae07c6f7ddaf62454a80639c6c7d897814aa7688d92760a11b664ea4af926f
x86_64
ansible-core-2.14.11-1.el9ap.x86_64.rpm SHA-256: b23fd05dfa763728555f5855d4026c24d30778ea7bab0a0ecf1280ef0cb7c8cc

Red Hat Ansible Developer 1.0 for RHEL 8

SRPM
ansible-core-2.14.11-1.el8ap.src.rpm SHA-256: 5f9a2bfedf16e6e49316ced353f9b8940e559611f841900f54260afef76360fe
x86_64
ansible-core-2.14.11-1.el8ap.x86_64.rpm SHA-256: 5a93e09eb5035c62eec02bd66b84f62d1a9e6c1cf4d6aaff58de8bbbfd1ed884

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.