Detections
Analytics

RHEL 8 / 9 : Red Hat Ansible Automation Platform 2.5 Product Security and Bug Fix Update (Important) (RHSA-2025:23069)

critical Nessus Plugin ID 278146

Language:

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:23069 advisory.

 Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.

 Security Fix(es):

 * automation-controller: Django SQL injection (CVE-2025-64459)
 * python3.11-django: Django SQL injection (CVE-2025-64459)
 * automation-eda-controller: Sensitive Internal Headers Disclosure in AAP EDA Event Streams (CVE-2025-9908)
 * automation-eda-controller: Event Stream Test Mode Exposes Sensitive Headers in AAP EDA (CVE-2025-9907)
 * automation-gateway: Improper Path Validation in Gateway Allows Credential Exfiltration (CVE-2025-9909)
 * automation-gateway: Axios DoS via lack of data size check (CVE-2025-58754)
 * receptor: quic-go Crash Due to Premature HANDSHAKE_DONE Frame (CVE-2025-59530)

 For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

 Updates and fixes included:

 Automation Platform
 * Fixed using and condition with multiple attributes. Where previously the authentication map would skip the missing attributes, with this fix the the map will be applied only if all attributes are present and the condition(s) are met (AAP-53523)
 * Added UI changes to subscription management splash page (AAP-47864)
 * Fixed an issue where job templates did not remain editable after associated project was deleted (AAP-58474)
 * automation-gateway has been updated to 2.5.20251210
 * python3.11-django-ansible-base has been updated to 2.5.20251210

 Automation Controller
 * Fixed an issue where jobs failed on fapolicyd enabled systems where python 3.9 was not installed by default (AAP-58479)
 * Fixed an issue in receptor where some edge cases caused JSON to fail to parse (AAP-57253)
 * Fixed GitHub App Installation Access Token Lookup to accept Iv2 Client IDs (AAP-58882)
 * Updated controller to now use the force flag when syncing a project which has 'Allow branch override' enabled (AAP-58532)
 * Fixed Redis broken pipe error in long-running jobs (AAP-59727)
 * Fixed column main_unifiedjobtemplate.org_unique does not exist migration error (AAP-56221)
 * ansible-runner has been updated to 2.4.2
 * automation-controller has been updated to 4.6.23
 * automation-controller-fapolicyd has been updated to 1.0-5
 * receptor has been updated to 1.6.2

 Automation Hub
 * Autocomplete attribute added to the Automation Hub API password field (AAP-59912)
 * automation-hub has been updated to 4.10.10
 * python3.11-galaxy-ng has been updated to 4.10.10
 * python3.11-galaxy-importer has been updated to 0.4.36

 Event-Driven Ansible
 * Added a credential type for mTLS event stream (AAP-55786)
 * Fixed an issue where redis_tls does not support boolean values such as yes/no (AAP-52828)
 * automation-eda-controller has been updated to 1.1.14

 Container-based Ansible Automation Platform
 * Fixed podman 5.6 compatibility with automation controller container configuration (AAP-58546)
 * Removed EVENT_STREAM_MTLS_BASE_URL from EDA settings file avoiding duplicate entry when using eda_extra_settings variable (AAP-57587)
 * RHEL minimum version has been updated to 9.4 (AAP-56386)
 * nginx has been updated to 1.24 (AAP-56203)
 * Containerized installer setup has been updated to 2.5-21

 RPM-based Ansible Automation Platform
 * Fixed an issue where the installer failed during execution environment image upload when there is no automation hub node in inventory (AAP-57122)
 * RHEL minimum version has been updated to 8.10 and 9.4 (AAP-56386)
 * nginx has been updated to 1.24 (AAP-56205)
 * ansible-automation-platform-installer and installer setup have been updated to 2.5-20

 Additional changes
 * ansible-builder has been updated to 3.1.1
 * ansible-creator has been updated to 25.12.0
 * ansible-dev-environment has been updated to 25.12.2
 * ansible-dev-tools has been updated to 25.12.0
 * ansible-lint has been updated to 25.12.0
 * ansible-navigator has been updated to 25.12.0
 * ansible-sign has been updated to 0.1.4
 * bindep has been updated to 2.13.0
 * molecule has been updated to 25.12.0
 * python3.11-ansible-compat has been updated to 25.12.0
 * python3.11-distlib has been updated to 0.4.0
 * python3.11-django has been updated to 4.2.26
 * python3.11-execnet has been updated to 2.1.2
 * python3.11-gunicorn has been updated to 23.0.0
 * python3.11-pluggy has been updated to 1.6.0
 * python3.11-pytest has been updated to 9.0.1
 * python3.11-pytest-ansible has been updated to 25.12.0
 * python3.11-pytest-xdist has been updated to 3.8.0
 * python3.11-ruamel-yaml-clib has been updated to 0.2.15
 * python3.11-subprocess-tee has been updated to 0.4.2
 * python3.11-tox-ansible has been updated to 25.12.0
 * python3.11-typing-extensions has been updated to 4.15.0

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://access.redhat.com/security/updates/classification/#important

https://bugzilla.redhat.com/show_bug.cgi?id=2392834

https://bugzilla.redhat.com/show_bug.cgi?id=2392835

https://bugzilla.redhat.com/show_bug.cgi?id=2392836

https://bugzilla.redhat.com/show_bug.cgi?id=2394735

https://bugzilla.redhat.com/show_bug.cgi?id=2403125

https://bugzilla.redhat.com/show_bug.cgi?id=2412651

http://www.nessus.org/u?039d9ef2

https://access.redhat.com/errata/RHSA-2025:23069

Plugin Details

Severity: Critical

ID: 278146

File Name: redhat-RHSA-2025-23069.nasl

Version: 1.1

Type: local

Agent: unix

Published: 12/10/2025

Updated: 12/10/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.7

Vendor

Vendor Severity: Important

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2025-64459

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:bindep, p-cpe:/a:redhat:enterprise_linux:python3.11-galaxy-importer, p-cpe:/a:redhat:enterprise_linux:python3.11-django-ansible-base%2bapi_documentation, p-cpe:/a:redhat:enterprise_linux:python3.11-execnet, p-cpe:/a:redhat:enterprise_linux:automation-eda-controller-event-stream-services, p-cpe:/a:redhat:enterprise_linux:automation-eda-controller, p-cpe:/a:redhat:enterprise_linux:python3.11-galaxy-ng, p-cpe:/a:redhat:enterprise_linux:automation-controller-cli, p-cpe:/a:redhat:enterprise_linux:automation-controller-ui, p-cpe:/a:redhat:enterprise_linux:ansible-navigator, p-cpe:/a:redhat:enterprise_linux:ansible-dev-tools, p-cpe:/a:redhat:enterprise_linux:python3.11-django-ansible-base%2brest_filters, p-cpe:/a:redhat:enterprise_linux:automation-eda-controller-base, cpe:/o:redhat:enterprise_linux:9, p-cpe:/a:redhat:enterprise_linux:ansible-automation-platform-installer, p-cpe:/a:redhat:enterprise_linux:python3.11-django-ansible-base%2bredis_client, p-cpe:/a:redhat:enterprise_linux:automation-controller, p-cpe:/a:redhat:enterprise_linux:automation-controller-fapolicyd, p-cpe:/a:redhat:enterprise_linux:python3.11-gunicorn, p-cpe:/a:redhat:enterprise_linux:python3.11-ansible-runner, p-cpe:/a:redhat:enterprise_linux:python3.11-django-ansible-base%2bjwt_consumer, p-cpe:/a:redhat:enterprise_linux:ansible-creator, p-cpe:/a:redhat:enterprise_linux:automation-gateway, p-cpe:/a:redhat:enterprise_linux:python3.11-django, p-cpe:/a:redhat:enterprise_linux:python3.11-typing-extensions, p-cpe:/a:redhat:enterprise_linux:python3.11-django-ansible-base%2bauthentication, p-cpe:/a:redhat:enterprise_linux:automation-controller-server, p-cpe:/a:redhat:enterprise_linux:automation-hub, p-cpe:/a:redhat:enterprise_linux:python3.11-django-ansible-base%2bchannel_auth, p-cpe:/a:redhat:enterprise_linux:python3.11-django-ansible-base%2boauth2_provider, p-cpe:/a:redhat:enterprise_linux:python3.11-pluggy, p-cpe:/a:redhat:enterprise_linux:python3.11-django-ansible-base%2bfeature_flags, p-cpe:/a:redhat:enterprise_linux:receptor, p-cpe:/a:redhat:enterprise_linux:ansible-dev-tools%2bserver, p-cpe:/a:redhat:enterprise_linux:automation-controller-venv-tower, p-cpe:/a:redhat:enterprise_linux:python3.11-ansible-compat, p-cpe:/a:redhat:enterprise_linux:python3.11-django-ansible-base, p-cpe:/a:redhat:enterprise_linux:python3.11-pytest-ansible, cpe:/o:redhat:enterprise_linux:8, p-cpe:/a:redhat:enterprise_linux:python3.11-django-ansible-base%2bactivitystream, p-cpe:/a:redhat:enterprise_linux:ansible-sign, p-cpe:/a:redhat:enterprise_linux:automation-gateway-config, p-cpe:/a:redhat:enterprise_linux:python3.11-tox-ansible, p-cpe:/a:redhat:enterprise_linux:python3.11-distlib, p-cpe:/a:redhat:enterprise_linux:python3.11-django-ansible-base%2brbac, p-cpe:/a:redhat:enterprise_linux:automation-eda-controller-base-services, p-cpe:/a:redhat:enterprise_linux:automation-gateway-server, p-cpe:/a:redhat:enterprise_linux:python3.11-subprocess-tee, p-cpe:/a:redhat:enterprise_linux:ansible-dev-environment, p-cpe:/a:redhat:enterprise_linux:receptorctl, p-cpe:/a:redhat:enterprise_linux:ansible-runner, p-cpe:/a:redhat:enterprise_linux:python3.11-ruamel-yaml-clib, p-cpe:/a:redhat:enterprise_linux:ansible-lint, p-cpe:/a:redhat:enterprise_linux:python3.11-pytest, p-cpe:/a:redhat:enterprise_linux:python3.11-pytest-xdist, p-cpe:/a:redhat:enterprise_linux:molecule, p-cpe:/a:redhat:enterprise_linux:ansible-builder, p-cpe:/a:redhat:enterprise_linux:automation-eda-controller-worker-services

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/10/2025

Vulnerability Publication Date: 9/11/2025

Reference Information

CVE: CVE-2025-58754, CVE-2025-59530, CVE-2025-64459, CVE-2025-9907, CVE-2025-9908, CVE-2025-9909

CWE: 200, 647, 755, 770, 89

RHSA: 2025:23069