How to fix vulnerabilities in AWX

Archives AWX Project
1

Hi All,

We are using latest version of AWX and post scanning it for vulnerabilities, we could see the following vulnerabilities which we are asked to fix.

For the python modules, I have tried checking the versions of current pip packages in awx and ansible venv and they show the correct version. Could anyone please suggest where are these coming from since i couldn’t see them in requirements directory of awx setup. Also, how can we fix them since this will impact out whole environment and we won’t be able to proceed further without the fixes :frowning:

`
/usr/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py || FIX_VERSION: 2.20.0
/usr/lib/python2.7/site-packages/pip/_vendor/urllib3/connectionpool.py || FIX_VERSION: 1.23
/usr/lib/python2.7/site-packages/pip/_vendor/urllib3/poolmanager.py || FIX_VERSION: 1.23
/usr/lib/python2.7/site-packages/pip/_vendor/urllib3/util/retry.py || FIX_VERSION: 1.23
/usr/lib/python3.6/site-packages/pip/_vendor/requests/sessions.py || FIX_VERSION: 2.20.0
/usr/lib/python3.6/site-packages/pip/_vendor/urllib3/connectionpool.py || FIX_VERSION: 1.23
/usr/lib/python3.6/site-packages/pip/_vendor/urllib3/poolmanager.py || FIX_VERSION: 1.23
/usr/lib/python3.6/site-packages/pip/_vendor/urllib3/util/retry.py || FIX_VERSION: 1.23
/var/lib/awx/venv/ansible/lib/python3.6/site-packages/botocore/vendored/requests/packages/urllib3/connectionpool.py || FIX_VERSION: 1.23
/var/lib/awx/venv/ansible/lib/python3.6/site-packages/botocore/vendored/requests/packages/urllib3/poolmanager.py || FIX_VERSION: 1.23
/var/lib/awx/venv/ansible/lib/python3.6/site-packages/botocore/vendored/requests/packages/urllib3/util/retry.py || FIX_VERSION: 1.23
/var/lib/awx/venv/ansible/lib/python3.6/site-packages/botocore/vendored/requests/sessions.py || FIX_VERSION: 2.20.0
/var/lib/awx/venv/ansible/lib/python3.6/site-packages/pip/_vendor/requests/packages/urllib3/connectionpool.py || FIX_VERSION: 1.23
/var/lib/awx/venv/ansible/lib/python3.6/site-packages/pip/_vendor/requests/packages/urllib3/poolmanager.py || FIX_VERSION: 1.23
/var/lib/awx/venv/ansible/lib/python3.6/site-packages/pip/_vendor/requests/packages/urllib3/util/retry.py || FIX_VERSION: 1.23
/var/lib/awx/venv/ansible/lib/python3.6/site-packages/pip/_vendor/requests/sessions.py || FIX_VERSION: 2.20.0
/var/lib/awx/venv/ansible/lib/python3.6/site-packages/pip/_vendor/urllib3/connectionpool.py || FIX_VERSION: 1.23
/var/lib/awx/venv/ansible/lib/python3.6/site-packages/pip/_vendor/urllib3/poolmanager.py || FIX_VERSION: 1.23
/var/lib/awx/venv/ansible/lib/python3.6/site-packages/pip/_vendor/urllib3/util/retry.py || FIX_VERSION: 1.23
/var/lib/awx/venv/awx/lib/python3.6/site-packages/pip/_vendor/requests/packages/urllib3/connectionpool.py || FIX_VERSION: 1.23
/var/lib/awx/venv/awx/lib/python3.6/site-packages/pip/_vendor/requests/packages/urllib3/poolmanager.py || FIX_VERSION: 1.23
/var/lib/awx/venv/awx/lib/python3.6/site-packages/pip/_vendor/requests/sessions.py || FIX_VERSION: 2.20.0
/var/lib/awx/venv/awx/lib/python3.6/site-packages/pip/_vendor/requests/packages/urllib3/util/retry.py || FIX_VERSION: 1.23
/var/lib/awx/venv/awx/lib/python3.6/site-packages/pip/_vendor/urllib3/connectionpool.py || FIX_VERSION: 1.23
/var/lib/awx/venv/awx/lib/python3.6/site-packages/pip/_vendor/urllib3/poolmanager.py || FIX_VERSION: 1.23
/var/lib/awx/venv/awx/lib/python3.6/site-packages/pip/_vendor/urllib3/util/retry.py || FIX_VERSION: 1.23

libcomps || FIX_VERSION: 0.1.11-2.el8
libseccomp || FIX_VERSION: 2.4.1-1.el8
sudo || FIX_VERSION: 1.8.25p1-8.el8_1
libarchive || FIX_VERSION: 3.3.2-7.el8

`

2

Hello All,

Could anyone please suggest any way forward on this. Any suggestions would be really helpful for me.

Thanks in advance.

3

Hello All,

I am adding the CVEs related to these vulnerabilities. Could anyone please suggest any path to resolve these.

CVE-2018-18074 /usr/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py high 9.8 2.20.0 CVE-2018-20060 /usr/lib/python2.7/site-packages/pip/_vendor/urllib3/connectionpool.py high 9.8 1.23 python-urllib3 1.23 CVE-2018-20060 /usr/lib/python2.7/site-packages/pip/_vendor/urllib3/poolmanager.py high 9.8 1.23 python-urllib3 1.23 CVE-2018-20060 /usr/lib/python2.7/site-packages/pip/_vendor/urllib3/util/retry.py high 9.8 1.23 python-urllib3 1.23 CVE-2018-18074 /usr/lib/python3.6/site-packages/pip/_vendor/requests/sessions.py high 9.8 2.20.0 CVE-2018-20060 /usr/lib/python3.6/site-packages/pip/_vendor/urllib3/connectionpool.py high 9.8 1.23 python-urllib3 1.23 CVE-2018-20060 /usr/lib/python3.6/site-packages/pip/_vendor/urllib3/poolmanager.py high 9.8 1.23 python-urllib3 1.23 CVE-2018-20060 /usr/lib/python3.6/site-packages/pip/_vendor/urllib3/util/retry.py high 9.8 1.23 python-urllib3 1.23 CVE-2019-9948 /usr/lib64/python2.7/urllib.py high 9.1 None CVE-2018-20060 /var/lib/awx/venv/ansible/lib/python3.6/site-packages/botocore/vendored/requests/packages/urllib3/connectionpool.py high 9.8 1.23 python-urllib3 1.23 [root@clab2726vw0001 tmp]# [root@clab2726vw0001 tmp]# [root@clab2726vw0001 tmp]# cat vul CVE-2018-18074 /usr/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py high 9.8 2.20.0 CVE-2018-20060 /usr/lib/python2.7/site-packages/pip/_vendor/urllib3/connectionpool.py high 9.8 1.23 python-urllib3 1.23 CVE-2018-20060 /usr/lib/python2.7/site-packages/pip/_vendor/urllib3/poolmanager.py high 9.8 1.23 python-urllib3 1.23 CVE-2018-20060 /usr/lib/python2.7/site-packages/pip/_vendor/urllib3/util/retry.py high 9.8 1.23 python-urllib3 1.23 CVE-2018-18074 /usr/lib/python3.6/site-packages/pip/_vendor/requests/sessions.py high 9.8 2.20.0 CVE-2018-20060 /usr/lib/python3.6/site-packages/pip/_vendor/urllib3/connectionpool.py high 9.8 1.23 python-urllib3 1.23 CVE-2018-20060 /usr/lib/python3.6/site-packages/pip/_vendor/urllib3/poolmanager.py high 9.8 1.23 python-urllib3 1.23 CVE-2018-20060 /usr/lib/python3.6/site-packages/pip/_vendor/urllib3/util/retry.py high 9.8 1.23 python-urllib3 1.23 CVE-2019-9948 /usr/lib64/python2.7/urllib.py high 9.1 None CVE-2018-20060 /var/lib/awx/venv/ansible/lib/python3.6/site-packages/botocore/vendored/requests/packages/urllib3/connectionpool.py high 9.8 1.23 python-urllib3 1.23 CVE-2018-20060 /var/lib/awx/venv/ansible/lib/python3.6/site-packages/botocore/vendored/requests/packages/urllib3/poolmanager.py high 9.8 1.23 python-urllib3 1.23 CVE-2018-20060 /var/lib/awx/venv/ansible/lib/python3.6/site-packages/botocore/vendored/requests/packages/urllib3/util/retry.py high 9.8 1.23 python-urllib3 1.23 CVE-2018-18074 /var/lib/awx/venv/ansible/lib/python3.6/site-packages/botocore/vendored/requests/sessions.py high 9.8 2.20.0 CVE-2018-20060 /var/lib/awx/venv/ansible/lib/python3.6/site-packages/pip/_vendor/requests/packages/urllib3/connectionpool.py high 9.8 1.23 python-urllib3 1.23 CVE-2018-20060 /var/lib/awx/venv/ansible/lib/python3.6/site-packages/pip/_vendor/requests/packages/urllib3/poolmanager.py high 9.8 1.23 python-urllib3 1.23 CVE-2018-20060 /var/lib/awx/venv/ansible/lib/python3.6/site-packages/pip/_vendor/requests/packages/urllib3/util/retry.py high 9.8 1.23 python-urllib3 1.23 CVE-2018-18074 /var/lib/awx/venv/ansible/lib/python3.6/site-packages/pip/_vendor/requests/sessions.py high 9.8 2.20.0 CVE-2018-20060 /var/lib/awx/venv/ansible/lib/python3.6/site-packages/pip/_vendor/urllib3/connectionpool.py high 9.8 1.23 python-urllib3 1.23 CVE-2018-20060 /var/lib/awx/venv/ansible/lib/python3.6/site-packages/pip/_vendor/urllib3/poolmanager.py high 9.8 1.23 python-urllib3 1.23 CVE-2018-20060 /var/lib/awx/venv/ansible/lib/python3.6/site-packages/pip/_vendor/urllib3/util/retry.py high 9.8 1.23 python-urllib3 1.23 CVE-2019-18874 psutil high 7 None CVE-2018-20060 /var/lib/awx/venv/awx/lib/python3.6/site-packages/pip/_vendor/requests/packages/urllib3/connectionpool.py high 9.8 1.23 python-urllib3 1.23 CVE-2018-20060 /var/lib/awx/venv/awx/lib/python3.6/site-packages/pip/_vendor/requests/packages/urllib3/poolmanager.py high 9.8 1.23 python-urllib3 1.23 CVE-2018-18074 /var/lib/awx/venv/awx/lib/python3.6/site-packages/pip/_vendor/requests/sessions.py high 9.8 2.20.0 CVE-2018-20060 /var/lib/awx/venv/awx/lib/python3.6/site-packages/pip/_vendor/requests/packages/urllib3/util/retry.py high 9.8 1.23 python-urllib3 1.23 CVE-2018-20060 /var/lib/awx/venv/awx/lib/python3.6/site-packages/pip/_vendor/urllib3/connectionpool.py high 9.8 1.23 python-urllib3 1.23 CVE-2018-20060 /var/lib/awx/venv/awx/lib/python3.6/site-packages/pip/_vendor/urllib3/poolmanager.py high 9.8 1.23 python-urllib3 1.23 CVE-2018-20060 /var/lib/awx/venv/awx/lib/python3.6/site-packages/pip/_vendor/urllib3/util/retry.py high 9.8 1.23 python-urllib3 1.23 CVE-2019-18874 psutil high 7 None CVE-2019-12855 /var/lib/awx/venv/awx/lib/python3.6/site-packages/twisted/words/protocols/jabber/xmlstream.py high 7.4 None CVE-2019-10164 postgresql high 7 None CVE-2019-9633 glib2 high 7 None RHSA-2019:3583 libcomps high 7 0.1.11-2.el8 CVE-2019-5010 python36 high 7 None CVE-2019-11756 nss high 7 None RHSA-2019:3624 libseccomp high 7 2.4.1-1.el8 CVE-2019-13565 openldap high 7 None RHSA-2019:3694 sudo high 7 1.8.25p1-8.el8_1 CVE-2019-1010023 glibc high 7 None RHSA-2019:3698 libarchive high 7 3.3.2-7.el8 CVE-2019-5443 curl high 7 None CVE-2019-12439 bubblewrap high 7 None CVE-2019-10164 libpq high 7 None

Regards,
Ankit

4

A package update should just upgrade those. Also, you’ll want to install 9.10 db as well.

5

Hello Cary,

Thanks for your response. I was able to upgrade some of them by updating the requirements.txt and requirements_ansible.txt during build. However, the following are still remaining. Could you please suggest how i can fix these?

6

You can do a pip install package --upgrade this will updated those packages, however I’m not sure if the versions will break anything. Are you using the latest version of awx? If not. Might consider updating that and getting a fresh container.

7

Hi Cary,

Yes, i am testing this in latest version of AWX (9.1.0). I have actually tried running pip install --upgrade pip in awx and ansible venv but some modules are still not upgraded.