Operating System:

[RedHat]

Published:

17 December 2019

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2019.4690 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4690
                       Red Hat Ansible Tower 3.5.4-1
                             17 December 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Ansible Tower 6/7
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Increased Privileges     -- Existing Account
                   Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-19342 CVE-2019-19341 CVE-2019-19340
                   CVE-2019-14864 CVE-2019-10768 

Reference:         ESB-2019.4404

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2019:4242
   https://access.redhat.com/errata/RHSA-2019:4243

Comment: This bulletin contains two (2) Red Hat security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Ansible Tower 3.5.4-1 - RHEL7 Container
Advisory ID:       RHSA-2019:4242-01
Product:           Red Hat Ansible Tower
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:4242
Issue date:        2019-12-16
CVE Names:         CVE-2019-14864 CVE-2019-19340 CVE-2019-19341 
                   CVE-2019-19342 
=====================================================================

1. Summary:

Red Hat Ansible Tower 3.5.4-1 - RHEL7 Container

2. Description:

* Added a command to generate a new SECRET_KEY and rekey the database 
* Removed the guest user from the optionally-configured RabbitMQ admin
interface (CVE-2019-19340)
* Fixed assorted issues with preserving permissions in the Ansible Tower
backup playbook (CVE-2019-19341)
* Fixed a partial password disclosure when special characters existed in
the RabbitMQ password (CVE-2019-19342)
* Fixed a file descriptor leak in the Tower service during project updates
* Fixed an issue where AUTHORIZATION_CODE_EXPIRE_SECONDS and
ACCESS_TOKEN_EXPIRE_SECONDS were not properly honored
* Fixed an issue where some timezones in schedules could not be parsed
* Fixed isolated execution of playbooks with blanks in the filename
* Fixed saving of workflow extra_vars
* Updated Ansible Tower to disallow Jinja in inventory hostnames
* Updated analytics data collection to match Ansible Tower 3.6
* Updated bundled oVirt SDK to version 4.3.0

3. Solution:

For information on upgrading Ansible Tower, reference the Ansible Tower
Upgrade and Migration Guide:
https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/
index.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1782623 - CVE-2019-19342 Tower: special characters in RabbitMQ passwords causes web socket 500 error
1782624 - CVE-2019-19340 Tower: enabling RabbitMQ manager in the installer exposes the management interface publicly
1782625 - CVE-2019-19341 Tower: intermediate files during Tower backup are world-readable

5. References:

https://access.redhat.com/security/cve/CVE-2019-14864
https://access.redhat.com/security/cve/CVE-2019-19340
https://access.redhat.com/security/cve/CVE-2019-19341
https://access.redhat.com/security/cve/CVE-2019-19342
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXffOX9zjgjWX9erEAQhvew//VfJgHom06V9Aut5W0CRjEM7ZTV5iaFI/
UFs5HTVthpMvRCwa+98ZJ8jq71Rwzc7QkKL+1g3YMCvMymKTJPMUSx2yHL7toIaR
nk++xVNDzBjtq7dVBiPKyCoEi74UIa8/Zuj36hRaFxwiwsysj1TpLf/B81cUuupx
Lmo32wCDNCq0tYlqxt6ytS9rBn8UmafxvuKWMIZaWpB787/kpVNnYNrn+/Cv9Bfn
DA4Xy3U9AVeNAesbVkWgC/wpPi9aqNbyrrodVpJWTAZ1spkwdTk9XtusGRpLx51Q
InWD53RufFb4Xdd5+kZZBh1Bszw3h6XTknFKX9vWVp0aw725CgVsEoYnV9Fn0zHr
JkuCBwgr+CQgJQV3C6D4N+QYlMVuZlfW0fWgpaGgMuGVg4akl/DGmbmB+Jy9GJ/2
cr1NUDiR1TdaQa0pVnbx72Pr2OZiBi1r8aUm/jeUBC64b9NtAsLQUZSeFuCU4UwX
+7auNV+pCWwrknYWIJ+VAIhwWGO5vYVvRU9XbwG4JQ3g2HISoRXHvy1x1jk4eGkX
Xh5wAQtXKI28lSJill8TQjGX6TjsH1mLnGpzGTjl2tIZIasMviEWJzvuUcnhymiO
+sBzL1eAAExmINTJfJW1qeT9NbcD11wkY5JKXPbMhd8Gq9QPl4BndFkuJibVaMpo
thZ59eIYjCI=
=0zy5
- -----END PGP SIGNATURE-----

- ------------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Ansible Tower 3.6.2-1 - RHEL7 Container
Advisory ID:       RHSA-2019:4243-01
Product:           Red Hat Ansible Tower
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:4243
Issue date:        2019-12-16
CVE Names:         CVE-2019-19340 CVE-2019-19341 CVE-2019-19342 
=====================================================================

1. Summary:

Red Hat Ansible Tower 3.6.2-1 - RHEL7 Container

2. Description:

* Added a command to generate a new SECRET_KEY and rekey the database
* Removed the guest user from the optionally-configured RabbitMQ admin
interface (CVE-2019-19340)
* Fixed slow queries for /api/v2/instances and /api/v2/instance_groups when
smart inventories are used
* Fixed assorted issues with preserving permissions in the Ansible Tower
backup playbook (CVE-2019-19341)
* Fixed a partial password disclosure when special characters existed in
the RabbitMQ password (CVE-2019-19342)
* Fixed hang in error handling for source control checkouts
* Fixed an error on subsequent job runs that override the branch of a
project on an instance that did not have a prior project checkout
* Fixed an issue where supervisord would not shut down correctly
* Fixed an issue where jobs launched in isolated or container groups would
incorrectly timeout
* Fixed link to instance groups documentation in the user interface
* Fixed retrieval of Red Hat subscription data when running in OpenShift
* Fixed editing of inventory on Workflow templates
* Fixed multiple issues with OAuth2 token cleanup system jobs
* Fixed custom email notifications for workflow approve and deny
* Updated SAML implementation to automatically log if authorization exists
* Updated AngularJS to 1.7.9 for CVE-2019-10768
* Updated installer to not install PostgreSQL server on all nodes
* Updated bundled installer to contain both Red Hat Enterprise Linux 7 and
8 builds

3. Solution:

For information on upgrading Ansible Tower, reference the Ansible Tower
Upgrade and Migration Guide:
https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/
index.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1782623 - CVE-2019-19342 Tower: special characters in RabbitMQ passwords causes web socket 500 error
1782624 - CVE-2019-19340 Tower: enabling RabbitMQ manager in the installer exposes the management interface publicly
1782625 - CVE-2019-19341 Tower: intermediate files during Tower backup are world-readable

5. References:

https://access.redhat.com/security/cve/CVE-2019-19340
https://access.redhat.com/security/cve/CVE-2019-19341
https://access.redhat.com/security/cve/CVE-2019-19342
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXffO0tzjgjWX9erEAQjwLQ/+NfHPbunRnDxqjxWlFYKgzkge6P7m215j
E5pVV/jPas2RVjCwjTK/VHnRscJDbLEaSAkGVzW3lbqyf7xxC+WTFq8Ga8D/zS9n
XSVU7Azv6CcmBchMQu2Y+QTkdVQcWpcvhOTqZ+P4zKTb24xfL8YpQtMRvJFZgE1h
u57G29WVl0WaseQYhSqgVDcODmBmLEpYZmzoJ/aDGJQ+6hIpSs+NIcE7Au2U+qGv
5r0Yd+jg6Dz6hcQe2Y4ed7ARUPrjseHK+wKO6ZcfbjhsvpCKr3NNqDn80Pe8v+3+
uj7SDHQlFGMH1nUjakawUxRpVmug30xB8/GqeKJmpLMmLNzBhw0xkeeVWbVkNNr1
ikCHI/dWIppZ3YbvtVyLEZWPMBXvrkyGkelMQKRzLYL9eReiMs/KwJFVbmKllLsz
7XN0kqgl8IWTYNppaJP93awRs0/7AYTGsdE3l53jRurGo1ab5gHYQonctKlGFZCf
X2gxnHUWACDZHkLcZ1L7tidTGfGse+0K7UM5w999Pfv8drMOTih4CAkW8g58FKb2
3WobokIqsl8YOPxrGu+K5iHf/swtXns/8oLXh768BS+PGR7gf1sfTa5XlhCi4FLf
0SNwoMbqo7DQPwqmLxXbsH5GOFOFbjTvV5Nz0blyJaxtslHgNuCKj9wNiWdXDLTT
7lp2D94ffiM=
=PZJz
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXfgx0GaOgq3Tt24GAQjjzA//czQlAJvBH+I6kPeu+0u+Qu6zzTIZ9A73
icTbAQt5z8sF47yQ+PJZ8ZiVt2ei+tJo2R7V8aKVZ5lN3+FMHGA9re+qXKR1wSEZ
AF0A5MC2Te1C9QJeekjUQ25LX0VFV7puzSLYrCUA+ne7bBSE9jZRX1l4ZmQoBwbv
4+ZTvAHtgzotL3iC9Zb5EoDOW+SkLl7Vm7lPUt5AcpEokoDINy7DBtndzpD1WcNd
MXa/TQQzQIm438uPWSlgS7mPgIPrdRrYh4WrRZtO2bPJtSki0JrS4pgLebMvBAD8
s2qoxYvaR1Wj+ohE6/GFF9xNDCbM5UyJkKIvXASvXUOMktcpXqJsNhSDyDP3K4Rf
W+rERIV8B5VhXExr26N0d1Us73f9JY0FyMyrNaCNpE68pOUiK6mcM/s47NF6QHdL
rZe9z6vP5pN8CMUvfYquzyB32iF/Q5y0odzv7WEWXfju8m6CNeR0Ce03koivhs9k
caMO+u1WEOojLDyFySitAj5aDufKsi+MXXN7J5eJ2UyqSQKkIqgQALtBcAX/AOg5
kkAjbqt76THCW7RMVp4u9GDPhKqLZfAt4P5l5l36QoJmDJCk01Y0Qd/KuVmDeXAM
XwiGQwKxrhjBbhZ/TiI7oakxEPPvncnJeX0q2pe/WzURqn5KmU2pd76HmIwijxX9
nYo4JIcTaic=
=z+F4
-----END PGP SIGNATURE-----