-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1207
Red Hat Ansible Automation Platform Operator 1.2 security update
12 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat Ansible Automation Platform Operator 1.2
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Root Compromise -- Existing Account
Increased Privileges -- Existing Account
Overwrite Arbitrary Files -- Existing Account
Create Arbitrary Files -- Existing Account
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-20228 CVE-2021-20191 CVE-2021-20180
CVE-2021-20178 CVE-2021-3447 CVE-2021-3156
CVE-2020-15999 CVE-2020-14422 CVE-2020-12403
CVE-2020-12402 CVE-2020-12401 CVE-2020-12400
CVE-2020-12243 CVE-2020-8625 CVE-2020-8177
CVE-2020-7595 CVE-2020-6829 CVE-2020-5313
CVE-2020-1971 CVE-2019-20907 CVE-2019-20388
CVE-2019-19956 CVE-2019-17546 CVE-2019-17498
CVE-2019-17023 CVE-2019-17006 CVE-2019-15903
CVE-2019-14973 CVE-2019-14866 CVE-2019-12749
CVE-2019-11756 CVE-2019-11727 CVE-2019-11719
CVE-2019-5188 CVE-2019-5094 CVE-2018-20843
CVE-2017-12652
Reference: ESB-2021.1193
ESB-2021.1091
ESB-2021.0986
ESB-2021.0845
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:1079
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat Ansible Automation Platform Operator 1.2 security update
Advisory ID: RHSA-2021:1079-01
Product: Red Hat Ansible Automation Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1079
Issue date: 2021-04-06
Keywords: Security Update
CVE Names: CVE-2017-12652 CVE-2018-20843 CVE-2019-5094
CVE-2019-5188 CVE-2019-11719 CVE-2019-11727
CVE-2019-11756 CVE-2019-12749 CVE-2019-14866
CVE-2019-14973 CVE-2019-15903 CVE-2019-17006
CVE-2019-17023 CVE-2019-17498 CVE-2019-17546
CVE-2019-19956 CVE-2019-20388 CVE-2019-20907
CVE-2020-1971 CVE-2020-5313 CVE-2020-6829
CVE-2020-7595 CVE-2020-8177 CVE-2020-8625
CVE-2020-12243 CVE-2020-12400 CVE-2020-12401
CVE-2020-12402 CVE-2020-12403 CVE-2020-14422
CVE-2020-15999 CVE-2021-3156 CVE-2021-3447
CVE-2021-20178 CVE-2021-20180 CVE-2021-20191
CVE-2021-20228
=====================================================================
1. Summary:
Red Hat Ansible Automation Platform Resource Operator 1.2 (technical
preview) images that fix several security issues.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat Ansible Automation Platform Resource Operator container images
with security fixes.
Ansible Automation Platform manages Ansible Platform jobs and workflows
that can interface with any infrastructure on a Red Hat OpenShift Container
Platform cluster, or on a traditional infrastructure that is running
off-cluster.
Security fixes:
CVE-2021-20191 ansible: multiple modules expose secured values
[ansible_automation_platform-1.2] (BZ#1916813)
CVE-2021-20178 ansible: user data leak in snmp_facts module
[ansible_automation_platform-1.2] (BZ#1914774)
CVE-2021-20180 ansible: ansible module: bitbucket_pipeline_variable exposes
secured values [ansible_automation_platform-1.2] (BZ#1915808)
CVE-2021-20228 ansible: basic.py no_log with fallback option
[ansible_automation_platform-1.2] (BZ#1925002)
CVE-2021-3447 ansible: multiple modules expose secured values
[ansible_automation_platform-1.2] (BZ#1939349)
For more details about the security issue, including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
1914774 - CVE-2021-20178 ansible: user data leak in snmp_facts module
1915808 - CVE-2021-20180 ansible module: bitbucket_pipeline_variable exposes secured values
1916813 - CVE-2021-20191 ansible: multiple modules expose secured values
1925002 - CVE-2021-20228 ansible: basic.py no_log with fallback option
1939349 - CVE-2021-3447 ansible: multiple modules expose secured values
5. References:
https://access.redhat.com/security/cve/CVE-2017-12652
https://access.redhat.com/security/cve/CVE-2018-20843
https://access.redhat.com/security/cve/CVE-2019-5094
https://access.redhat.com/security/cve/CVE-2019-5188
https://access.redhat.com/security/cve/CVE-2019-11719
https://access.redhat.com/security/cve/CVE-2019-11727
https://access.redhat.com/security/cve/CVE-2019-11756
https://access.redhat.com/security/cve/CVE-2019-12749
https://access.redhat.com/security/cve/CVE-2019-14866
https://access.redhat.com/security/cve/CVE-2019-14973
https://access.redhat.com/security/cve/CVE-2019-15903
https://access.redhat.com/security/cve/CVE-2019-17006
https://access.redhat.com/security/cve/CVE-2019-17023
https://access.redhat.com/security/cve/CVE-2019-17498
https://access.redhat.com/security/cve/CVE-2019-17546
https://access.redhat.com/security/cve/CVE-2019-19956
https://access.redhat.com/security/cve/CVE-2019-20388
https://access.redhat.com/security/cve/CVE-2019-20907
https://access.redhat.com/security/cve/CVE-2020-1971
https://access.redhat.com/security/cve/CVE-2020-5313
https://access.redhat.com/security/cve/CVE-2020-6829
https://access.redhat.com/security/cve/CVE-2020-7595
https://access.redhat.com/security/cve/CVE-2020-8177
https://access.redhat.com/security/cve/CVE-2020-8625
https://access.redhat.com/security/cve/CVE-2020-12243
https://access.redhat.com/security/cve/CVE-2020-12400
https://access.redhat.com/security/cve/CVE-2020-12401
https://access.redhat.com/security/cve/CVE-2020-12402
https://access.redhat.com/security/cve/CVE-2020-12403
https://access.redhat.com/security/cve/CVE-2020-14422
https://access.redhat.com/security/cve/CVE-2020-15999
https://access.redhat.com/security/cve/CVE-2021-3156
https://access.redhat.com/security/cve/CVE-2021-3447
https://access.redhat.com/security/cve/CVE-2021-20178
https://access.redhat.com/security/cve/CVE-2021-20180
https://access.redhat.com/security/cve/CVE-2021-20191
https://access.redhat.com/security/cve/CVE-2021-20228
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/security/cve/CVE-2021-20191
https://access.redhat.com/security/cve/CVE-2021-20178
https://access.redhat.com/security/cve/CVE-2021-20180
https://access.redhat.com/security/cve/CVE-2021-20228
https://access.redhat.com/security/cve/CVE-2021-3447
6. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYHBeatzjgjWX9erEAQhLuw//QLV4QWc4E9o8cG3IJr3xIt6b/OHs6b9s
hp04e5kT7IWFpmR3VXK+BEK2dd+NiGdvXPOpwe4BaOUWEDmq+dx4Vac5Z0GcZJUK
AJz8dXFPYBgIafuIkWyY9UIvSO/VsQ2Dr4+KUnB1obALAz3ndSoQJFS1hysFBXHS
+MulKiYVwFw7UbfvGuFLjmLrNTAflVa9MHmdh3P53bU+U2mCgzuHTFIpodkZhuIt
aIR0H/dgHXXG8co20Zb5Nciqr0CxqejQ+xz84Yu0I+y1LWdBAhi34c3zJY4rlEQS
6/nfcsSPEadNCTXQu/TX6yvo6sE8A7/xGh1PDf0PLVv+Xh7TE53MtmTnYcl8uiRO
9m3CfJ7PLO2hpl6QuJzuUe7nXx65/qIoKQjZfNpZVXj/LQtL1F4RE7szmswIGNZL
IG51pYEUE98aR3gIlLpoMjW4vtC+rdcwSBaLW5gH1Q5hNRlTLmFBTKmYNkCpd4Ho
NP3AKEwx9R8ZdGYcCuZwYPvSQSqX+B9qURw5G4E/vbso8Vh9RYQ3kusnf93Q/1LG
ImHCbsVWJDMMt/NRj5OvqgZc18ROqHhSpuJ+A44VCI+UihkZb2ai4DjGef0WHZhq
XTMyLECTJIwM4aY+BC1ohYm0Whvs/w/hd03tGFBJhlIoBYakY6o8lRD7hCc8E/YI
dEQ0aSabgEY=
=D/Lt
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYHOhgONLKJtyKPYoAQgEjQ//Qx9OYAtqVr1OMZXQ0Ay9ACSMnsFwBmg0
iI+WTWaHRJKNTiEGuhGdpY/pchi5RQyMlpreNTRSe/+L49Vu2XTo09N3HV2qS3na
lQlrzwD9nimYOci2joGN3G9+zkWkYbWu2w2/yWRPZz2p/JhEPpAYUxiVToIxTi4b
gm3A5rX+z1xhuIw9dYPWVeP6X09lW6Uo/DKeNGUyXiQynvA1WpjLk6GhwBJczN56
4lSUHfIdYR3D5WEu1fH5GILc/vUJa6rStOwnGPk2mhXAfyFc2S/lsMPl7MLyBaXB
potZ3CNDnmkbETqCN5MJe4qp5RDTeRM3RC9bkEtFlPhRta5b3NAYmTXbhwr9pnHA
XG3Yyhp2AOlLv3GqPaIu2ncqYSa5EO6X00vI1EkBT6hiufxxLnb6qdJdZTqri/c3
taGnn6S1/rEaOfqRGdg0mQWtmV4Rfhe+VtBLHssORYEjjXU09m8HqfcuXitsDtFT
d5KWCjC264MuJ0MjbIw7GA4sEgxz8ebXzU/FR2bNS/kvI9+0Ym89j6Hy2Jvrq59C
bB7neXTh/GUS3qG6zWl9i8sN+C+v8lrlKfeVvAyIooBZRBfRzn4ueHRqdYmXguGe
oZxh07tf7VQRuL62vIi18eM5Tjc9pd/+FLmaCqsPcnkny24MTnSwaol/vZw/wSTC
yhWiQ6rUals=
=/zlA
-----END PGP SIGNATURE-----
The post ESB-2021.1207 – [RedHat] Red Hat Ansible Automation Platform Operator 1.2: Multiple vulnerabilities appeared first on Malware Devil.
https://malwaredevil.com/2021/04/12/esb-2021-1207-redhat-red-hat-ansible-automation-platform-operator-1-2-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1207-redhat-red-hat-ansible-automation-platform-operator-1-2-multiple-vulnerabilities
No comments:
Post a Comment