Hello all of you,
Actually auditing an AWX and Ansible community config in doors, I’m looking for AWX versions fixing known CVEs, from v8 to today.
Well let’s take the latest could be the answer, but on the other hand I can’t find a roadmap from Redhat certifying AWX & Ansible version compatibility.
Thanking you
Eric
Hello,
AWX is a community supported open source project, not a product from Red Hat. Red Hat’s product of AWX is called Ansible Controller.
As a fast moving open source project we don’t do a lot of auditing around AWX. There was a recent question on the mailing list around SOC2 compliance where we gave a similar answer.
Because of this, there would be no documentation from Red Hat around AWX & Ansible version compatibility nor do we have documentation around which versions of Ansible are supported under AWX.
AWX ships with a specific version of Ansible which you could find if you wanted to look through the release tags in GitHub.
In the latest versions of AWX we use execution environments to run playbooks and in the default EE (awx-ee) the version of ansible is:
ansible [core 2.12.5.post0]
While AWX may work with versions other than what is shipped we don’t do any kind of testing and don’t provide or maintain a compatibility list.
In regards to CVEs, again, we don’t have any listing of CVE fixes for the different releases of AWX. You could look through the commit history to see if a specific commit mentioned fixing a CVE but it is likely not a single commit that would fix a CVE. It is more likely that a PR or several PRs would be addressing a CVE and those may each contain several commits.
Red Hat may have some information around which CVEs were fixed in the releases of Controller but there isn’t a solid mapping between versions of AWX and Controller so even if that were available, it may not help you much with trying to audit AWX.
While most of our python and javascript dependencies are pinned to a specific version, system level dependencies and anything else pulled in at container build time will upgraded transparently. If you need to know the exact versions of all software you are running, you will need to leverage additional tooling to generate the appropriate manifest lists