Headline
Red Hat Security Advisory 2024-1057-03
Red Hat Security Advisory 2024-1057-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include crlf injection and denial of service vulnerabilities.
The following advisory data is extracted from:
https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1057.json
Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat’s archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.
- Packet Storm Staff
====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update
Advisory ID: RHSA-2024:1057-03
Product: Red Hat Ansible Automation Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2024:1057
Issue date: 2024-02-29
Revision: 03
CVE Names: CVE-2022-40896
====================================================================
Summary:
An update is now available for Red Hat Ansible Automation Platform 2.4.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description:
Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.
Security Fix(es):
automation-eda-controller / ansible-rulebook / ansible-automation-platform-installer: Insecure websocket used when interacting with EDA server (CVE-2024-1657)
python3-django/python39-django: denial-of-service in ‘intcomma’ template filter (CVE-2024-24680)
python3-jinja2/python39-jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)
python3-aiohttp/python39-aiohttp: CRLF injection if user controls the HTTP method using aiohttp client (CVE-2023-49082)
python3-aiohttp/python39-aiohttp: HTTP request modification (CVE-2023-49081)
python3-aiohttp/python39-aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)
python3-pycryptodomex/python39-pycryptodomex: side-channel leakage for OAEP decryption in PyCryptodome and pycryptodomex (CVE-2023-52323)
python3-pillow/python39-pillow: uncontrolled resource consumption when textlength in an ImageDraw instance operates on a long text argument (CVE-2023-44271)
python3-pygments/python39-pygments: ReDoS in pygments (CVE-2022-40896)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Updates and fixes for automation controller:
- automation-controller has been updated to 4.5.2
- Enabled HashiCorp Vault LDAP and Userpass authentication (AAP-19842)
Updates and fixes for automation hub:
- automation-hub and python3-galaxy-ng/python39-galaxy-ng have been updated to 4.9.1
- various dependencies have been updated
Updates and fixes for Event-Driven Ansible:
- automation-eda-controller has been updated to 1.0.5
- various dependencies have been updated
- Fixed a vulnerability that allowed command line injections in user and url fields for projects (AAP-17778)
- The communication between the activations and eda-server is now authenticated. Once EDA Controller is upgraded, all the existing running activations must be restarted with upgraded Decision Environment images (AAP-17619)
- Removed 409 conflict error when enabling an activation (AAP-16305)
- An activation status did not change to failed when an internal error occurred (AAP-16014)
- Restarting the EDA server can cause activation states to become stale (AAP-13064)
- RHEL 9.2 activations can not connect to the host (AAP-12929)
- Added podman_containers_conf_logs_max_size variable to control max log size for podman installations with a default value of 10 MiB (AAP-12295)
Note: The 2.4-6 installer/setup should be used to update Event-Driven Ansible to 1.0.5
Updates and fixes for installer and setup:
- Added podman_containers_conf_logs_max_size variable for containers.conf to control max log size for podman installations with a default value of 10 MiB (AAP-19775)
- EDA debug flag of false will now correctly disable django debug mode (AAP-19577)
- installer and setup have been updated to 2.4-6
Additional changes:
- ansible-builder has been updated to 3.0.1
- ansible-runner has been updated to 2.3.5
- ansible-dev-tools has been added
For more details about the updates and fixes included in this release, refer to the Release Notes.
Solution:
CVEs:
CVE-2022-40896
References:
https://access.redhat.com/security/updates/classification/#important
https://bugzilla.redhat.com/show_bug.cgi?id=2247820
https://bugzilla.redhat.com/show_bug.cgi?id=2249825
https://bugzilla.redhat.com/show_bug.cgi?id=2251643
https://bugzilla.redhat.com/show_bug.cgi?id=2252235
https://bugzilla.redhat.com/show_bug.cgi?id=2252248
https://bugzilla.redhat.com/show_bug.cgi?id=2257028
https://bugzilla.redhat.com/show_bug.cgi?id=2257854
https://bugzilla.redhat.com/show_bug.cgi?id=2261856
https://bugzilla.redhat.com/show_bug.cgi?id=2265085
Related news
Red Hat Security Advisory 2024-5662-03 - An update is now available for Red Hat Satellite 6.15 for RHEL 8.
Gentoo Linux Security Advisory 202408-11 - Multiple vulnerabilities have been discovered in aiohttp, the worst of which could lead to service compromise. Versions greater than or equal to 3.9.4 are affected.
Red Hat Security Advisory 2024-3927-03 - A new container image for Red Hat Ceph Storage 7.1 is now available in the Red Hat Ecosystem Catalog.
Debian Linux Security Advisory 5704-1 - Multiple security issues were discovered in Pillow, a Python imaging library, which could result in denial of service or the execution of arbitrary code if malformed images are processed.
Gentoo Linux Security Advisory 202405-12 - Multiple vulnerabilities have been discovered in Pillow, the worst of which can lead to arbitrary code execution. Versions greater than or equal to 10.2.0 are affected.
Red Hat Security Advisory 2024-2010-03 - An update is now available for Red Hat Satellite 6.15. The release contains a new version of Satellite and important security fixes for various components. Issues addressed include HTTP request smuggling, crlf injection, denial of service, file disclosure, and traversal vulnerabilities.
Red Hat Security Advisory 2024-1878-03 - An updated version of Red Hat Update Infrastructure is now available. RHUI 4.8 fixes several security an operational bugs, adds some new features and upgrades the underlying Pulp to a newer version. Issues addressed include HTTP request smuggling, crlf injection, denial of service, and traversal vulnerabilities.
Red Hat Security Advisory 2024-1640-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include HTTP request smuggling, denial of service, local file inclusion, memory leak, and traversal vulnerabilities.
Red Hat Security Advisory 2024-1155-03 - An update for fence-agents is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.
Red Hat Security Advisory 2024-1072-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include a denial of service vulnerability.
Ubuntu Security Notice 6623-1 - It was discovered that Django incorrectly handled certain inputs that uses intcomma template filter. An attacker could possibly use this issue to cause a denial of service.
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.
Ubuntu Security Notice 6618-1 - It was discovered that Pillow incorrectly handled certain long text arguments. An attacker could possibly use this issue to cause Pillow to consume resources, leading to a denial of service. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. Duarte Santos discovered that Pillow incorrectly handled the environment parameter to PIL.ImageMath.eval. An attacker could possibly use this issue to execute arbitrary code.
Ubuntu Security Notice 6599-1 - Yeting Li discovered that Jinja incorrectly handled certain regex. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. It was discovered that Jinja incorrectly handled certain HTML passed with xmlatter filter. An attacker could inject arbitrary HTML attributes keys and values potentially leading to XSS.
Red Hat Security Advisory 2024-0345-03 - An update for python-pillow is now available for Red Hat Enterprise Linux 7.
Ubuntu Security Notice 6595-1 - It was discovered that PyCryptodome had a timing side-channel when performing OAEP decryption. A remote attacker could possibly use this issue to recover sensitive information.
The `xmlattr` filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. Note that accepting keys as user input is not common or a particularly intended use case of the `xmlattr` filter, and an application doing so should already be verifying what keys are provided regardless of this fix.
PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.
### Summary Improper validation make it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or even create a new HTTP request if the attacker controls the HTTP version. ### Details The vulnerability only occurs if the attacker can control the HTTP version of the request (including its type). For example if an unvalidated JSON value is used as a version and the attacker is then able to pass an array as the `version` parameter. Furthermore, the vulnerability only occurs when the `Connection` header is passed to the `headers` parameter. At this point, the library will use the parsed value to create the request. If a list is passed, then it bypasses validation and it is possible to perform CRLF injection. ### PoC The POC below shows an example of providing an unvalidated array as a version: https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e ### Impact CRLF injection leading to Request Smuggling. ### Workaround If these specific conditions a...
### Summary Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. ### Details The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. Previous releases performed no validation on the provided value. If an attacker controls the HTTP method it will be used as is and can lead to HTTP request smuggling. ### PoC A minimal example can be found here: https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b ### Impact If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). ### Workaround If unable to upgrade and using user-provided values for the request method, perform manual validation of the user value (e.g. by restricting it to a few known values like GET, POST etc.).
# Summary The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when `AIOHTTP_NO_EXTENSIONS` is enabled (or not using a prebuilt wheel). # Details ## Bug 1: Bad parsing of `Content-Length` values ### Description RFC 9110 says this: > `Content-Length = 1*DIGIT` AIOHTTP does not enforce this rule, presumably because of an incorrect usage of the builtin `int` constructor. Because the `int` constructor accepts `+` and `-` prefixes, and digit-separating underscores, using `int` to parse CL values leads AIOHTTP to significant misinterpretation. ### Examples ``` GET / HTTP/1.1\r\n Content-Length: -0\r\n \r\n X ``` ``` GET / HTTP/1.1\r\n Content-Length: +0_1\r\n \r\n X ``` ### Suggested action Verify that a `Content-Length` value consists only of ASCII digits before parsing, as the standard requires. ## Bug 2: Improper handling of NUL, CR, and LF in header values ### Description RFC 9110 says this: > Field ...
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. There are no known workarounds for these issues.
An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.
An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.
Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
A ReDoS issue was discovered in `pygments/lexers/smithy.py` in Pygments until 2.15.0 via SmithyLexer.
A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.