rhsa-2019:3958
Vulnerability from csaf_redhat
Published
2019-11-25 14:20
Modified
2024-11-22 14:12
Summary
Red Hat Security Advisory: Red Hat Ansible Tower 3.6.1-1 - EL7 Container
Notes
Topic
Red Hat Ansible Tower 3.6.1-1 - EL7 Container
Details
Ansible Tower Version 3.6.1
-----------------------------
- Fixed accidental disclosure of Red Hat username and password in
/api/v2/config (CVE-2019-14890)
- Fixed upgrade failure with bundled installer
- Fixed license check error when reinstalling over a partially-installed
Tower
- Fixed database restore when using a PostgreSQL pod
- Fixed error when CA data was missing for a container group credential
- Fixed error when a container group job was launched when Tower was out
of capacity
- Fixed a few minor issues in the AWX modules collection
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat Ansible Tower 3.6.1-1 - EL7 Container",
"title": "Topic"
},
{
"category": "general",
"text": "Ansible Tower Version 3.6.1\n-----------------------------\n\n- Fixed accidental disclosure of Red Hat username and password in \n /api/v2/config (CVE-2019-14890)\n- Fixed upgrade failure with bundled installer\n- Fixed license check error when reinstalling over a partially-installed \n Tower\n- Fixed database restore when using a PostgreSQL pod\n- Fixed error when CA data was missing for a container group credential\n- Fixed error when a container group job was launched when Tower was out \n of capacity\n- Fixed a few minor issues in the AWX modules collection",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:3958",
"url": "https://access.redhat.com/errata/RHSA-2019:3958"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "1773622",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1773622"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_3958.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Ansible Tower 3.6.1-1 - EL7 Container",
"tracking": {
"current_release_date": "2024-11-22T14:12:15+00:00",
"generator": {
"date": "2024-11-22T14:12:15+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:3958",
"initial_release_date": "2019-11-25T14:20:18+00:00",
"revision_history": [
{
"date": "2019-11-25T14:20:18+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-11-25T14:20:18+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T14:12:15+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Ansible Tower 3.6 for RHEL 7",
"product": {
"name": "Red Hat Ansible Tower 3.6 for RHEL 7",
"product_id": "7Server-Ansible-Tower-3.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ansible_tower:3.6::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Ansible Tower"
},
{
"branches": [
{
"category": "product_version",
"name": "ansible-tower-36/ansible-tower@sha256:bfc301f3d789f1c1d9cede65934015124447bba752b8033b68ab9e60156e81aa_amd64",
"product": {
"name": "ansible-tower-36/ansible-tower@sha256:bfc301f3d789f1c1d9cede65934015124447bba752b8033b68ab9e60156e81aa_amd64",
"product_id": "ansible-tower-36/ansible-tower@sha256:bfc301f3d789f1c1d9cede65934015124447bba752b8033b68ab9e60156e81aa_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ansible-tower@sha256:bfc301f3d789f1c1d9cede65934015124447bba752b8033b68ab9e60156e81aa?arch=amd64\u0026repository_url=registry.redhat.io/ansible-tower-36/ansible-tower\u0026tag=3.6.1-1"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-tower-36/ansible-tower@sha256:bfc301f3d789f1c1d9cede65934015124447bba752b8033b68ab9e60156e81aa_amd64 as a component of Red Hat Ansible Tower 3.6 for RHEL 7",
"product_id": "7Server-Ansible-Tower-3.6:ansible-tower-36/ansible-tower@sha256:bfc301f3d789f1c1d9cede65934015124447bba752b8033b68ab9e60156e81aa_amd64"
},
"product_reference": "ansible-tower-36/ansible-tower@sha256:bfc301f3d789f1c1d9cede65934015124447bba752b8033b68ab9e60156e81aa_amd64",
"relates_to_product_reference": "7Server-Ansible-Tower-3.6"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Victor da Costa"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-14890",
"cwe": {
"id": "CWE-312",
"name": "Cleartext Storage of Sensitive Information"
},
"discovery_date": "2019-11-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1773622"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Ansible Tower where the RHSM credentials are saved in plain text in the database that is available at \u0027/api/v2/config\u0027 after applying the Ansible Tower license. Attackers with this information could log into RHSM and modify licenses and make other changes.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Tower: RHSM username and password exposed after license application",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Ansible Tower 3.6.0 is affected, but Ansible Tower 3.5, 3.4, and 3.3 are not vulnerable as they do not include the new RHSM.\n\nCloudForms 5.9 and 5.10 are not vulnerable as they do not use Ansible Tower 3.6.0.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-Ansible-Tower-3.6:ansible-tower-36/ansible-tower@sha256:bfc301f3d789f1c1d9cede65934015124447bba752b8033b68ab9e60156e81aa_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14890"
},
{
"category": "external",
"summary": "RHBZ#1773622",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1773622"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14890",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14890"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14890",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14890"
}
],
"release_date": "2019-11-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-11-25T14:20:18+00:00",
"details": "For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/index.html",
"product_ids": [
"7Server-Ansible-Tower-3.6:ansible-tower-36/ansible-tower@sha256:bfc301f3d789f1c1d9cede65934015124447bba752b8033b68ab9e60156e81aa_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:3958"
},
{
"category": "workaround",
"details": "There is no mitigation for this issue since this issue happens when Red Hat license is applied.",
"product_ids": [
"7Server-Ansible-Tower-3.6:ansible-tower-36/ansible-tower@sha256:bfc301f3d789f1c1d9cede65934015124447bba752b8033b68ab9e60156e81aa_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.0"
},
"products": [
"7Server-Ansible-Tower-3.6:ansible-tower-36/ansible-tower@sha256:bfc301f3d789f1c1d9cede65934015124447bba752b8033b68ab9e60156e81aa_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Tower: RHSM username and password exposed after license application"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.