Headline
RHSA-2023:4991: Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.3 Product Security and Bug Fix Update
An update is now available for Red Hat Ansible Automation Platform 2.3 Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-40267: An improper input validation vulnerability was found in GitPython. This flaw allows an attacker to inject a maliciously crafted remote URL into the clone command, possibly leading to remote code execution.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- OpenShift Dev Spaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Quarkus
Integration and Automation
All Products
Issued:
2023-09-06
Updated:
2023-09-06
RHSA-2023:4991 - Security Advisory
- Overview
- Updated Packages
Synopsis
Low: Red Hat Ansible Automation Platform 2.3 Product Security and Bug Fix Update
Type/Severity
Security Advisory: Low
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update is now available for Red Hat Ansible Automation Platform 2.3
Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.
Security Fix(es):
- automation-controller: GitPython: Insecure non-multi options in clone and clone_from is not blocked (CVE-2023-40267)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional changes:
- ansible-core has been updated to 2.14.9 (AAP-15270)
- automation-controller has been updated to 4.3.13 (AAP-15548)
- automation controller: Fix bug that can cause a deadlock on shutdown when redis is unavailable. (AAP-14217)
Solution
Red Hat Ansible Automation Platform
Affected Products
- Red Hat Ansible Automation Platform 2.3 for RHEL 9 x86_64
- Red Hat Ansible Automation Platform 2.3 for RHEL 8 x86_64
- Red Hat Ansible Inside 1.1 for RHEL 9 x86_64
- Red Hat Ansible Inside 1.1 for RHEL 8 x86_64
- Red Hat Ansible Developer 1.0 for RHEL 9 x86_64
- Red Hat Ansible Developer 1.0 for RHEL 8 x86_64
Fixes
- BZ - 2231474 - CVE-2023-40267 GitPython: Insecure non-multi options in clone and clone_from is not blocked
Red Hat Ansible Automation Platform 2.3 for RHEL 9
SRPM
ansible-core-2.14.9-1.el9ap.src.rpm
SHA-256: 61c70239ad5d9eb14cc83c25daab3e5b165191949b48d380c68aeddaa83476d8
automation-controller-4.3.13-1.el9ap.src.rpm
SHA-256: f823e50b8227500db175041099246225300a180e4d90d53f1574b850755579d3
x86_64
ansible-core-2.14.9-1.el9ap.x86_64.rpm
SHA-256: 57c7892e7a887ac2d861d74261e9a055bbdcf77c253fc9c5ecab57815ff7c7f3
ansible-test-2.14.9-1.el9ap.x86_64.rpm
SHA-256: 191911ba8d42f46d7c12c3992bc61bb418c230329049c14d4f191500821f9297
automation-controller-4.3.13-1.el9ap.x86_64.rpm
SHA-256: 07827339a8f69e0ee3d65aa3b328761037c7982131e0c493a5df23c216d59593
automation-controller-cli-4.3.13-1.el9ap.x86_64.rpm
SHA-256: 9e6662622358d22c158fff0f6d28d22773ce1b10b079a4948425c572352e3895
automation-controller-server-4.3.13-1.el9ap.x86_64.rpm
SHA-256: c040b0107eb3ab41c76fa7c9001d80882b19fb4116e59f6a18b2b081248c0647
automation-controller-ui-4.3.13-1.el9ap.x86_64.rpm
SHA-256: 62a132e4f0397e02087b04682f4eb238db91ea4c6ecddf553a66db018cb50de4
automation-controller-venv-tower-4.3.13-1.el9ap.x86_64.rpm
SHA-256: 6705428c0286beac417742cbad8b53080dbc0cb86d73719011b6aff386f93d2c
Red Hat Ansible Automation Platform 2.3 for RHEL 8
SRPM
ansible-core-2.14.9-1.el8ap.src.rpm
SHA-256: 6eb749f1cdcff253ebc227b4333df7c09a757ef492160717dbce3532e5973f78
automation-controller-4.3.13-1.el8ap.src.rpm
SHA-256: 4b5fb48a71cb35757ed14bcc38c6eaddd14fd944eb1959954edbbdc8911395ad
x86_64
ansible-core-2.14.9-1.el8ap.x86_64.rpm
SHA-256: 6ed6a9596ac36281fc48b564fc32a2ab6212ed32725311fa03fac4bfeceda283
ansible-test-2.14.9-1.el8ap.x86_64.rpm
SHA-256: eca721f4cb88affddba40f8a12c6561a52710b9459e0112174dcb6b6c90f7e03
automation-controller-4.3.13-1.el8ap.x86_64.rpm
SHA-256: 365bd70d74315d32821e207079feb3b45ccdb812df6c2067d7fdbdbba46b6da7
automation-controller-cli-4.3.13-1.el8ap.x86_64.rpm
SHA-256: ad548b5c43009c88a7d59f99da8d4211943696ed4e26cac44537f4e89d346661
automation-controller-server-4.3.13-1.el8ap.x86_64.rpm
SHA-256: 55dfd2726fa22e4c157fb7eba1c8b6fba633b86a007f02d44f33021ac914d960
automation-controller-ui-4.3.13-1.el8ap.x86_64.rpm
SHA-256: 5add753dd765521ce52de56a5a3f07b086d62f15916daf1c217b1f928deff810
automation-controller-venv-tower-4.3.13-1.el8ap.x86_64.rpm
SHA-256: 6db16876d56f8b6ecbc07f29bd1d299a21f51aaafa118f0ff1b10c754f53fe9f
Red Hat Ansible Inside 1.1 for RHEL 9
SRPM
ansible-core-2.14.9-1.el9ap.src.rpm
SHA-256: 61c70239ad5d9eb14cc83c25daab3e5b165191949b48d380c68aeddaa83476d8
x86_64
ansible-core-2.14.9-1.el9ap.x86_64.rpm
SHA-256: 57c7892e7a887ac2d861d74261e9a055bbdcf77c253fc9c5ecab57815ff7c7f3
Red Hat Ansible Inside 1.1 for RHEL 8
SRPM
ansible-core-2.14.9-1.el8ap.src.rpm
SHA-256: 6eb749f1cdcff253ebc227b4333df7c09a757ef492160717dbce3532e5973f78
x86_64
ansible-core-2.14.9-1.el8ap.x86_64.rpm
SHA-256: 6ed6a9596ac36281fc48b564fc32a2ab6212ed32725311fa03fac4bfeceda283
Red Hat Ansible Developer 1.0 for RHEL 9
SRPM
ansible-core-2.14.9-1.el9ap.src.rpm
SHA-256: 61c70239ad5d9eb14cc83c25daab3e5b165191949b48d380c68aeddaa83476d8
x86_64
ansible-core-2.14.9-1.el9ap.x86_64.rpm
SHA-256: 57c7892e7a887ac2d861d74261e9a055bbdcf77c253fc9c5ecab57815ff7c7f3
Red Hat Ansible Developer 1.0 for RHEL 8
SRPM
ansible-core-2.14.9-1.el8ap.src.rpm
SHA-256: 6eb749f1cdcff253ebc227b4333df7c09a757ef492160717dbce3532e5973f78
x86_64
ansible-core-2.14.9-1.el8ap.x86_64.rpm
SHA-256: 6ed6a9596ac36281fc48b564fc32a2ab6212ed32725311fa03fac4bfeceda283
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2023-5931-01 - Updated Satellite 6.13 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite. Issues addressed include code execution and denial of service vulnerabilities.
Red Hat Security Advisory 2023-4991-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.
Red Hat Security Advisory 2023-4971-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.
An update is now available for Red Hat Ansible Automation Platform 2.4 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-23931: A vulnerability was found in python-cryptography. In affected versions, `Cipher.update_into` would accept Python objects which implement the buffer protocol but provide only immutable buffers. This issue allows immutable objects (such as `bytes`) to be mutated, thus violating the fundamental rules of Python, resulting in corrupted output. * CVE-2...
Ubuntu Security Notice 6326-1 - It was discovered that GitPython did not block insecure options from user inputs in the clone command. An attacker could possibly use this issue to execute arbitrary commands on the host.
GitPython before 3.1.32 does not block insecure non-multi options in `clone` and `clone_from`, making it vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.
GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.