- Issued:
- 2021-03-09
- Updated:
- 2021-03-09
RHSA-2021:0780 - Important: Red Hat Ansible Tower 3.8.2-1 - Container security and bug fix update
Synopsis
Important: Red Hat Ansible Tower 3.8.2-1 - Container security and bug fix update
Type/Severity
Security Advisory Important
Topic
Red Hat Ansible Tower 3.8.2-1 - Container
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Security Fix(es):
- Addressed a security issue which can allow a malicious playbook author to elevate to the awx user from outside the isolated environment: CVE-2021-20253
- Upgraded to a more recent version of Django to address CVE-2021-3281.
- Upgraded to a more recent version of autobahn to address CVE-2020-35678.
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- Upgraded to the latest oVirt inventory plugin to resolve a number of inventory syncing issues that can occur on RHEL7.
- Upgraded to the latest theforeman.foreman inventory plugin to resolve a few bugs and performance regressions.
- Fixed several issues related to how Tower rotates its log files.
- Fixed a bug which can prevent Tower from installing on RHEL8 with certain non-en_US.UTF-8 locales.
- Fixed a bug which can cause unanticipated delays in certain playbook output.
- Fixed a bug which can cause job runs to fail for playbooks that print certain types of raw binary data.
- Fixed a bug which can cause unnecessary records in the Activity Stream when Automation Analytics data is collected.
- Fixed a bug which can cause Tower PostgreSQL backups to fail when a non-default PostgreSQL username is specified.
- Fixed a bug which can intermittently cause access to encrypted Tower settings to fail, resulting in failed job launches.
- Fixed a bug which can cause certain long-running jobs running on isolated nodes to unexpectedly fail.
Solution
For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/index.html
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Ansible Automation Platform | Text-Only Advisories | x86_64 |
Fixes
- This content is not included.BZ - 1911314
- This content is not included.BZ - 1919969
- This content is not included.BZ - 1928847
CVEs
- CVE-2020-10543
- CVE-2020-10878
- CVE-2020-12723
- CVE-2020-35678
- CVE-2021-3281
- CVE-2021-20178
- CVE-2021-20180
- CVE-2021-20191
- CVE-2021-20228
- CVE-2021-20253
References
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.