Headline
Red Hat Security Advisory 2024-8969-03
Red Hat Security Advisory 2024-8969-03 - An update is now available for Red Hat Ansible Automation Platform Execution Environments.
The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8969.jsonRed Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis: Moderate: Red Hat Ansible Automation Platform Execution Environments Container Release UpdateAdvisory ID: RHSA-2024:8969-03Product: Red Hat Ansible Automation PlatformAdvisory URL: https://access.redhat.com/errata/RHSA-2024:8969Issue date: 2024-11-12Revision: 03CVE Names: CVE-2024-8775====================================================================Summary: An update is now available for Red Hat Ansible Automation Platform Execution EnvironmentsDescription:Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.Security Fix(es):* ansible-core: Exposure of Sensitive Information in Ansible Vault Files Due to Improper Logging (CVE-2024-8775)* ansible-core: Ansible-core user may read/write unauthorized content (CVE-2024-9902)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Updates and fixes:* ansible-core has been updated to 2.16.13 (ee-minimal 2.16 stream)* ansible-core has been updated to 2.17.6 (ee-minimal 2.17 stream)* ansible-core 2.18.0 has been added (ee-minimal 2.18 stream)Solution:CVEs:CVE-2024-8775References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2312119https://bugzilla.redhat.com/show_bug.cgi?id=2318271Related news
A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.
A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.