ALASANSIBLE2-2023-005

Amazon Linux 2 Security Advisory: ALASANSIBLE2-2023-005
Advisory Release Date: 2023-08-21 21:01 Pacific
Advisory Updated Date: 2023-09-25 22:13 Pacific

Severity: Important

References: CVE-2020-14365
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability. (CVE-2020-14365)

Affected Packages:

ansible

Note:

This advisory is applicable to Amazon Linux 2 - Ansible2 Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update ansible to update your system.

New Packages:

noarch:
    ansible-2.9.13-1.amzn2.noarch
    ansible-doc-2.9.13-1.amzn2.noarch

src:
    ansible-2.9.13-1.amzn2.src

Additional References

Red Hat: CVE-2020-14365

Mitre: CVE-2020-14365

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

ALASANSIBLE2-2023-005

Additional References