The following advisory data is extracted from: https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10766.json Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment. - Packet Storm Staff ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Ansible Automation Platform 2.5 Product Security and Bug Fix Update Advisory ID: RHSA-2024:10766-03 Product: Red Hat Ansible Automation Platform Advisory URL: https://access.redhat.com/errata/RHSA-2024:10766 Issue date: 2024-12-04 Revision: 03 CVE Names: CVE-2024-52304 ==================================================================== Summary: An update is now available for Red Hat Ansible Automation Platform 2.5 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description: Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Security Fix(es): * automation-controller: aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions (CVE-2024-52304) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Updates and fixes included: Automation controller * Fix job schedules running at incorrect times when rrule interval was set to HOURLY or MINUTELY (AAP-36572) * Fix bug where unrelated jobs could be marked as a dependency of other jobs (AAP-35309) * Include pod anti-affinity configuration on default containergroup pod spec to optimally spread workload (AAP-35055) * Updated the minor version of uWSGI to obtain updated log verbiage (AAP-33169) * automation-controller has been updated to 4.6.3 Receptor * Fixed an issue that caused a Receptor runtime panic error (AAP-36476) * receptor has been updated to 1.5.1 Container-based Ansible Automation Platform * With this update, you cannot change the postgresql_admin_username value when using a managed database node (AAP-36577) * Added update support for PCP monitoring role (AAP-36576) * With this update, ID and Image fields from a container image are used instead of Digest and ImageDigest to trigger a container update (AAP-36575) * Disabled platform gateway authentication in the proxy configuration to prevent HTTP 502 errors when the control plane is down (AAP-36484) * With this update, you can use dedicated nodes for the Redis group (AAP-36480) * Fixed an issue where disabling TLS on Automation Gateway would cause installation to fail (AAP-35966) * Fixed an issue where platform gateway uninstall would leave container systemd unit files on disk (AAP-35329) * Fixed an issue where disabling TLS on Automation Gateway proxy would cause installation to fail (AAP-35145) * With this update, you can now update the registry URL value in Event-Driven Ansible credentials (AAP-35085) * Fixed an issue where the automation hub container signing service creation failed when hub_collection_signing=false but hub_container_signing=true (AAP-34977) * Fixed an issue with the HOME environment variable for receptor containers which would cause a permission denied error on the containerized execution node (AAP-34945) * Fixed an issue where not setting up the GPG agent socket properly when multiple hub nodes are configured, resulted in not creating a GPG socket file in /var/tmp/pulp (AAP-34815) * With this update, you can now change the automation gateway port value after the initial deployment (AAP-34813) * With this update, the kernel.keys.maxkeys and kernel.keys.maxbytes settings are increased on systems with large memory configuration (AAP-34019) * Added ansible_connection=local to the inventory-growth file and clarified its usage (AAP-34016) * containerized installer setup has been updated to 2.5-6 RPM-based Ansible Automation Platform * Receptor data directory can now be configured using 'receptor_datadir' variable (AAP-36697) * Disabled platform gateway authentication in the proxy configuration to allow access to UI when the control plane is down (AAP-36667) * Fixed an issue where the metrics-utility command failed to run after updating automation controller (AAP-36486) * Fix issue where the dispatcher service went into FATAL status and failed to process new jobs after a database outage of a few minutes (AAP-36457) * Fixed the owner and group permissions on the /etc/tower/uwsgi.ini file (AAP-35765) * With this update, you can now update the registry URL value in Event-Driven Ansible credentials (AAP-35162) * Fixed an issue where not having eda_node_type defined in the inventory file would result in backup failure (AAP-34730) * Fixed an issue where not having routable_hostname defined in the inventory file would result in a restore failure (AAP-34563) * With this update, the inventory-growth file is now included in the ansible-automation-platform-installer (AAP-33944) * ansible-automation-platform-installer and installer setup have been updated to 2.5-6 Solution: CVEs: CVE-2024-52304 References: https://access.redhat.com/security/updates/classification/#moderate https://bugzilla.redhat.com/show_bug.cgi?id=2327130