Sicherheit: Mehrere Probleme in Red Hat Ansible Automation Platform

Lesezeichen hinzufügen

An update is now available for Red Hat Ansible Automation Platform 2.5

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Red Hat Ansible Automation Platform provides an enterprise framework for
building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.

Security Fix(es):
* automation-controller: Potential SQL injection in HasKey(lhs, rhs) on Oracle
(CVE-2024-53908)
* automation-controller: Potential denial-of-service in
django.utils.html.strip_tags() (CVE-2024-53907)
* automation-controller: Denial of Service through Data corruption in gRPC-C++
(CVE-2024-11407)
* automation-gateway: nanoid mishandles non-integer values (CVE-2024-55565)
* python3.11-aiohttp: aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions (CVE-2024-52304)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Updates and fixes included:

Platform
* Fixed 'not found' error that occurred occasionally when navigating
form wizards (AAP-37495)
* Fixed an issue where ID_KEY attribute was improperly used to determine the
username field in social auth pipelines (AAP-38300)
* Fixed an issue where the X-DAB-JW-TOKEN header message would flood logs
(AAP-38169)
* Fixed an issue where authenticator could create a userid and return a
non-viable authenticator_uid (AAP-38021)
* Enhanced the status API, /api/gateway/v1/status/, from the services property
within the JSON to an array (AAP-37903)
* Fixes an issue where a private key was displayed in plain text when
downloading the OpenAPI schema file. NOTE: This was not the private key used by gateway, just a random default key (AAP-37843)

Automation controller
* Added 'job_lifecycle' as a choice in loggers to send externally and
added 'organization_id' field to logs related to a job (AAP-37537)
* Fixed date comparison mismatch for traceback from
'host_metric_summary_monthly' task (AAP-37487)
* Fixed scheduled jobs with count set to a non-zero value to no longer run
unexpectedly (AAP-37290)
* Fixed the POST operation to '/api/controller/login/' via gateway to
no longer result in a fatal error (AAP-37235)
* Fixed the behavior of the project's 'requirements.yml' to no
longer revert to a prior state in a cluster (AAP-37228)
* Fixed occasional error while creating event partition table before starting a
job, when lots of jobs are launched quickly (AAP-37227)
* Fixed the named URL to no longer return a 404 error code while launching a
job template (AAP-37025)
* Updated receptor to clean up temporary receptor files after a job completes
on nodes (AAP-36904)
* Fixed the POST operation to '/api/controller/login/' via gateway to
no longer result in a fatal error (AAP-33911)
* automation-controller has been updated to 4.6.6

Container-based Ansible Automation Platform
* Fixed an issue where the provided inventory file sample for growth
inventories could cause the installation to stall on low resource systems (AAP-38372)
* Fixed an issue where the throttle capacity of controller in growth topology
installation would allow for performance degradation (AAP-38207)
* Fixed an issue where the receptor TLS certificate content was not validated
during the preflight role execution ensuring that the x509 Subject Alt Name (SAN) field contains the required ISO Object Identifier (OID) (AAP-37880)
* TLS certificate and key files are now validated during the preflight role
execution (AAP-37845)
* Fixed an issue where the Postgresql SSL mode variables were not validated
during the preflight role execution (AAP-37352)
* containerized installer setup has been updated to 2.5-8

RPM-based Ansible Automation Platform
* Fixed an issue where adding a new automation hub host to upgraded environment
has caused the installation to fail (AAP-38204)
* Fixed an issue where the link to the documents in the installer README.md was
broken (AAP-37627)
* Updated nginx configuration to properly return API status for Event-Driven
Ansible event stream service (AAP-32816)
* ansible-automation-platform-installer and installer setup have been updated
to 2.5-7

Additional changes:
* Installing ansible-core no longer installs python3-jmespath on RHEL 8
(AAP-18251)
* ansible-core has been updated to 2.16.14-2
* automation-gateway has been updated to 2.5.20250115
* python3.11-aiohttp has been updated to 3.10.11 along with its dependencies
* python3.11-django-ansible-base has been updated to 2.5.20250115
* python3.11-galaxy-importer has been updated to 0.4.27
* python3.11-pulpcore has been updated to 3.49.29

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2024-11407: Incorrect Calculation (CWE-682)
CVE-2024-52304: Inconsistent Interpretation of HTTP Requests ('HTTP
Request/Response Smuggling') (CWE-444)
CVE-2024-53907: CWE-1169 (CWE-1169)
CVE-2024-53908: Improper Neutralization of Special Elements used in an SQL
Command ('SQL Injection') (CWE-89)
CVE-2024-55565: Loop with Unreachable Exit Condition ('Infinite Loop')
(CWE-835)