Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:4991: Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.3 Product Security and Bug Fix Update

An update is now available for Red Hat Ansible Automation Platform 2.3 Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2023-40267: An improper input validation vulnerability was found in GitPython. This flaw allows an attacker to inject a maliciously crafted remote URL into the clone command, possibly leading to remote code execution.
Red Hat Security Data
#vulnerability#web#linux#red_hat#redis#nodejs#js#git#kubernetes#rce#aws

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

All Products

Issued:

2023-09-06

Updated:

2023-09-06

RHSA-2023:4991 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Low: Red Hat Ansible Automation Platform 2.3 Product Security and Bug Fix Update

Type/Severity

Security Advisory: Low

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat Ansible Automation Platform 2.3

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.

Security Fix(es):

  • automation-controller: GitPython: Insecure non-multi options in clone and clone_from is not blocked (CVE-2023-40267)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional changes:

  • ansible-core has been updated to 2.14.9 (AAP-15270)
  • automation-controller has been updated to 4.3.13 (AAP-15548)
  • automation controller: Fix bug that can cause a deadlock on shutdown when redis is unavailable. (AAP-14217)

Solution

Red Hat Ansible Automation Platform

Affected Products

  • Red Hat Ansible Automation Platform 2.3 for RHEL 9 x86_64
  • Red Hat Ansible Automation Platform 2.3 for RHEL 8 x86_64
  • Red Hat Ansible Inside 1.1 for RHEL 9 x86_64
  • Red Hat Ansible Inside 1.1 for RHEL 8 x86_64
  • Red Hat Ansible Developer 1.0 for RHEL 9 x86_64
  • Red Hat Ansible Developer 1.0 for RHEL 8 x86_64

Fixes

  • BZ - 2231474 - CVE-2023-40267 GitPython: Insecure non-multi options in clone and clone_from is not blocked

Red Hat Ansible Automation Platform 2.3 for RHEL 9

SRPM

ansible-core-2.14.9-1.el9ap.src.rpm

SHA-256: 61c70239ad5d9eb14cc83c25daab3e5b165191949b48d380c68aeddaa83476d8

automation-controller-4.3.13-1.el9ap.src.rpm

SHA-256: f823e50b8227500db175041099246225300a180e4d90d53f1574b850755579d3

x86_64

ansible-core-2.14.9-1.el9ap.x86_64.rpm

SHA-256: 57c7892e7a887ac2d861d74261e9a055bbdcf77c253fc9c5ecab57815ff7c7f3

ansible-test-2.14.9-1.el9ap.x86_64.rpm

SHA-256: 191911ba8d42f46d7c12c3992bc61bb418c230329049c14d4f191500821f9297

automation-controller-4.3.13-1.el9ap.x86_64.rpm

SHA-256: 07827339a8f69e0ee3d65aa3b328761037c7982131e0c493a5df23c216d59593

automation-controller-cli-4.3.13-1.el9ap.x86_64.rpm

SHA-256: 9e6662622358d22c158fff0f6d28d22773ce1b10b079a4948425c572352e3895

automation-controller-server-4.3.13-1.el9ap.x86_64.rpm

SHA-256: c040b0107eb3ab41c76fa7c9001d80882b19fb4116e59f6a18b2b081248c0647

automation-controller-ui-4.3.13-1.el9ap.x86_64.rpm

SHA-256: 62a132e4f0397e02087b04682f4eb238db91ea4c6ecddf553a66db018cb50de4

automation-controller-venv-tower-4.3.13-1.el9ap.x86_64.rpm

SHA-256: 6705428c0286beac417742cbad8b53080dbc0cb86d73719011b6aff386f93d2c

Red Hat Ansible Automation Platform 2.3 for RHEL 8

SRPM

ansible-core-2.14.9-1.el8ap.src.rpm

SHA-256: 6eb749f1cdcff253ebc227b4333df7c09a757ef492160717dbce3532e5973f78

automation-controller-4.3.13-1.el8ap.src.rpm

SHA-256: 4b5fb48a71cb35757ed14bcc38c6eaddd14fd944eb1959954edbbdc8911395ad

x86_64

ansible-core-2.14.9-1.el8ap.x86_64.rpm

SHA-256: 6ed6a9596ac36281fc48b564fc32a2ab6212ed32725311fa03fac4bfeceda283

ansible-test-2.14.9-1.el8ap.x86_64.rpm

SHA-256: eca721f4cb88affddba40f8a12c6561a52710b9459e0112174dcb6b6c90f7e03

automation-controller-4.3.13-1.el8ap.x86_64.rpm

SHA-256: 365bd70d74315d32821e207079feb3b45ccdb812df6c2067d7fdbdbba46b6da7

automation-controller-cli-4.3.13-1.el8ap.x86_64.rpm

SHA-256: ad548b5c43009c88a7d59f99da8d4211943696ed4e26cac44537f4e89d346661

automation-controller-server-4.3.13-1.el8ap.x86_64.rpm

SHA-256: 55dfd2726fa22e4c157fb7eba1c8b6fba633b86a007f02d44f33021ac914d960

automation-controller-ui-4.3.13-1.el8ap.x86_64.rpm

SHA-256: 5add753dd765521ce52de56a5a3f07b086d62f15916daf1c217b1f928deff810

automation-controller-venv-tower-4.3.13-1.el8ap.x86_64.rpm

SHA-256: 6db16876d56f8b6ecbc07f29bd1d299a21f51aaafa118f0ff1b10c754f53fe9f

Red Hat Ansible Inside 1.1 for RHEL 9

SRPM

ansible-core-2.14.9-1.el9ap.src.rpm

SHA-256: 61c70239ad5d9eb14cc83c25daab3e5b165191949b48d380c68aeddaa83476d8

x86_64

ansible-core-2.14.9-1.el9ap.x86_64.rpm

SHA-256: 57c7892e7a887ac2d861d74261e9a055bbdcf77c253fc9c5ecab57815ff7c7f3

Red Hat Ansible Inside 1.1 for RHEL 8

SRPM

ansible-core-2.14.9-1.el8ap.src.rpm

SHA-256: 6eb749f1cdcff253ebc227b4333df7c09a757ef492160717dbce3532e5973f78

x86_64

ansible-core-2.14.9-1.el8ap.x86_64.rpm

SHA-256: 6ed6a9596ac36281fc48b564fc32a2ab6212ed32725311fa03fac4bfeceda283

Red Hat Ansible Developer 1.0 for RHEL 9

SRPM

ansible-core-2.14.9-1.el9ap.src.rpm

SHA-256: 61c70239ad5d9eb14cc83c25daab3e5b165191949b48d380c68aeddaa83476d8

x86_64

ansible-core-2.14.9-1.el9ap.x86_64.rpm

SHA-256: 57c7892e7a887ac2d861d74261e9a055bbdcf77c253fc9c5ecab57815ff7c7f3

Red Hat Ansible Developer 1.0 for RHEL 8

SRPM

ansible-core-2.14.9-1.el8ap.src.rpm

SHA-256: 6eb749f1cdcff253ebc227b4333df7c09a757ef492160717dbce3532e5973f78

x86_64

ansible-core-2.14.9-1.el8ap.x86_64.rpm

SHA-256: 6ed6a9596ac36281fc48b564fc32a2ab6212ed32725311fa03fac4bfeceda283

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Red Hat Security Advisory 2023-5931-01

Red Hat Security Advisory 2023-5931-01 - Updated Satellite 6.13 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite. Issues addressed include code execution and denial of service vulnerabilities.

Red Hat Security Advisory 2023-4991-01

Red Hat Security Advisory 2023-4991-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.

Red Hat Security Advisory 2023-4971-01

Red Hat Security Advisory 2023-4971-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.

RHSA-2023:4971: Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update

An update is now available for Red Hat Ansible Automation Platform 2.4 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-23931: A vulnerability was found in python-cryptography. In affected versions, `Cipher.update_into` would accept Python objects which implement the buffer protocol but provide only immutable buffers. This issue allows immutable objects (such as `bytes`) to be mutated, thus violating the fundamental rules of Python, resulting in corrupted output. * CVE-2...

Ubuntu Security Notice USN-6326-1

Ubuntu Security Notice 6326-1 - It was discovered that GitPython did not block insecure options from user inputs in the clone command. An attacker could possibly use this issue to execute arbitrary commands on the host.

GHSA-pr76-5cm5-w9cj: GitPython vulnerable to remote code execution due to insufficient sanitization of input arguments

GitPython before 3.1.32 does not block insecure non-multi options in `clone` and `clone_from`, making it vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.

CVE-2023-40267: Merge pull request #1609 from Beuc/block-insecure-options-clone-non-m… · gitpython-developers/GitPython@ca965ec

GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.