Detections
Analytics

RHEL 9 : Red Hat Ansible Automation Platform 2.6 Product Security and Bug Fix Update (Moderate) (RHSA-2025:21768)

high Nessus Plugin ID 275792

Language:

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:21768 advisory.

 Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.

 Security Fix(es):

 * receptor: quic-go Crash Due to Premature HANDSHAKE_DONE Frame (CVE-2025-59530)
 * automation-gateway: Improper Path Validation in Gateway Allows Credential Exfiltration (CVE-2025-9909)

 For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

 Updates and fixes included:

 Automation Platform
 * Added fallback-authenticator feature, which allows users to configure fallback_authentication for running custom logic in the event local authentication fails (AAP-56919)
 * Fixed a significant performance regression in response time for GET requests to /role_definitions/ and related endpoints (AAP-56868)
 * Allows for Event-Driven Ansible to add CA Certificates in Gateway which can then used by Envoy to do certificate based Auth for mTLS EventStreams (AAP-56770)
 * Users who existed in AAP 2.5 with controller legacy authentication, but never logged in are now marked such that they will attempt authentication with controller in AAP 2.6 rather than being left in an unusable state (AAP-56388)
 * Fixed an issue in which superuser status would sync from gateway to other components if set to True, but not if set to False (AAP-56296)
 * Fixed column main_unifiedjobtemplate.org_unique does not exist migration error (AAP-56222)
 * Fixed using and condition with multiple attributes. Where previously the authentication map would skip the missing attributes, with this fix the the map will be applied only if all attributes are present and the condition(s) are met (AAP-53612)
 * Fixed an issue where platform auditors were not able Platform level settings (AAP-55608)
 * Fixed an issue where the Team input field on the authentication mapping form was not hidden when an organization role was selected (AAP-55602)
 * Fixed an issue where the workflow visualizer CSS was displaying the incorrect height (AAP-55164)
 * Fix an Execution Environment deletion warning (AAP-55135)
 * Added login page at /login to bypass the LOGIN_REDIRECT_OVERRIDE setting when it is misconfigured (AAP-53471)
 * Ansible Lightspeed section has been removed from the left navigation bar (AAP-53006)
 * Fixed an issue where filtering platform resources by special characters did not work as expected (AAP-52360)
 * Fixed the Subscription Usage chart to always display at full height (AAP-52218)
 * Fixed an issue that was preventing users from viewing complete survey question choices that contained a colon (AAP-50290)
 * The Domains filter is now visible within the Job Templates tab that shows up in a Project, Credential, Inventory or EE (AAP-48031)
 * Added limit filtering to the jobs page (AAP-45218)
 * Fixed a form validation bug on the Login Redirect Override field in gateway settings (AAP-40517)
 * An information message is displayed in the Review step for creating an org (AAP-30179)
 * A warning message is added when a user tries to restart an activation in the 'workers offline' status (AAP-24009)
 * Add the ca_certificates module and the enable_mtls attribute to route to ansible.platform collection (AAP-48345)
 * automation-gateway has been updated to 2.6.20251119
 * automation-platform-ui has been updated to 2.6.3
 * python3.11-django-ansible-base has been updated to 2.6.20251119

 Automation controller
 * Fixed an issue in receptor where some edge cases caused JSON to fail to parse (AAP-58412)
 * Fixed an issue in ansible-runner where there was not a meaningful error message whenever the streaming of logs was aborted (AAP-58390)
 * Migrating team mappers which do not include a users field is now supported (AAP-56395)
 * Receptor collection version has been updated to 2.0.6, which is compatible with ansible-core 2.19 (AAP-42617)
 * Fixed an issue where jobs failed on fapolicyd enabled systems where python 3.9 was not installed by default (AAP-55790)
 * ansible-runner has been updated to 2.4.2
 * automation-controller has been updated to 4.7.5
 * automation-controller-fapolicyd has been updated to 1.0-5
 * receptor has been updated to 1.6.2

 Automation hub
 * Fixed an upgrade error (AttributeError or ValueError, content type mismatch) in the Hub Django 0054 migration that happens when upgrading if any role is assigned to a group globally before the migration (AAP-58299)
 * automation-hub has been updated to 4.11.3
 * python3.11-galaxy-ng has been updated to 4.11.3

 Event-Driven Ansible
 * Added support for mTLS event streams (AAP-57375)
 * automation-eda-controller has been updated to 1.2.2

 Container-based Ansible Automation Platform
 * Added support for Azure provider for Lightspeed (AAP-58206)
 * Added support for OpenAI provider for Lightspeed (AAP-58197)
 * Event-stream mTLS configuration has been added for Event-Driven Ansible (AAP-57434)
 * Fixed a compatibility issue with PostgreSQL 17 when using an external database and admin credentials (AAP-57431)
 * Fixed the chatbot response about the latest AAP version (AAP-57385)
 * containerized installer setup has been updated to 2.6-3

 RPM-based Ansible Automation Platform
 * Fixed an issue where the installer failed during execution environment image upload when there is no automation hub node in inventory (AAP-56892)
 * Event-stream mTLS configuration has been added for Event-Driven Ansible (AAP-46070)
 * Gateway logs in /var/log/ansible-automation-platform/gateway have been refactored (AAP-30549)
 * ansible-automation-platform-installer and installer setup have been updated to 2.6-3

 Additional changes
 * Updated ansible-creator to use images from ansible-automation-platform-26 namespace by default
 * ansible-creator has been updated to 25.8.0-2

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected automation-gateway-server, receptor and / or receptorctl packages.

See Also

https://access.redhat.com/security/updates/classification/#moderate

https://bugzilla.redhat.com/show_bug.cgi?id=2392836

https://bugzilla.redhat.com/show_bug.cgi?id=2403125

http://www.nessus.org/u?44951e4a

https://access.redhat.com/errata/RHSA-2025:21768

Plugin Details

Severity: High

ID: 275792

File Name: redhat-RHSA-2025-21768.nasl

Version: 1.1

Type: local

Agent: unix

Published: 11/19/2025

Updated: 11/19/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

Vendor

Vendor Severity: Moderate

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:L/AC:L/Au:M/C:C/I:C/A:C

CVSS Score Source: CVE-2025-9909

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2025-59530

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:receptor, p-cpe:/a:redhat:enterprise_linux:receptorctl, cpe:/o:redhat:enterprise_linux:9, p-cpe:/a:redhat:enterprise_linux:automation-gateway-server

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 11/19/2025

Vulnerability Publication Date: 10/10/2025

Reference Information

CVE: CVE-2025-59530, CVE-2025-9909

CWE: 647, 755

RHSA: 2025:21768