Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.3025 jenkins and jenkins-2-plugins security update 25 May 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: jenkins and jenkins-2-plugins Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2023-27904 CVE-2023-27902 CVE-2023-27901 CVE-2023-27900 CVE-2023-25762 CVE-2023-25761 CVE-2023-24998 CVE-2023-24422 CVE-2022-42889 CVE-2022-40152 CVE-2022-40151 CVE-2022-22978 CVE-2021-46877 CVE-2021-4178 CVE-2020-7692 Original Bulletin: https://access.redhat.com/errata/RHSA-2023:3299 Comment: CVSS (Max): 9.8 CVE-2022-42889 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: jenkins and jenkins-2-plugins security update Advisory ID: RHSA-2023:3299-01 Product: OpenShift Developer Tools and Services Advisory URL: https://access.redhat.com/errata/RHSA-2023:3299 Issue date: 2023-05-24 CVE Names: CVE-2020-7692 CVE-2021-4178 CVE-2021-46877 CVE-2022-22978 CVE-2022-40151 CVE-2022-40152 CVE-2022-42889 CVE-2023-24422 CVE-2023-24998 CVE-2023-25761 CVE-2023-25762 CVE-2023-27900 CVE-2023-27901 CVE-2023-27902 CVE-2023-27904 ===================================================================== 1. Summary: An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: OpenShift Developer Tools and Services for OCP 4.13 for RHEL 8 - noarch 3. Description: Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Security Fix(es): * apache-commons-text: variable interpolation RCE (CVE-2022-42889) * google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization (CVE-2020-7692) * jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422) * kubernetes-client: Insecure deserialization in unmarshalYaml method (CVE-2021-4178) * jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877) * springframework: Authorization Bypass in RegexRequestMatcher (CVE-2022-22978) * xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40151) * woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152) * Apache Commons FileUpload: FileUpload DoS with excessive parts (CVE-2023-24998) * jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761) * jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762) * Jenkins: Denial of Service attack (CVE-2023-27900) * Jenkins: Denial of Service attack (CVE-2023-27901) * Jenkins: Workspace temporary directories accessible through directory browser (CVE-2023-27902) * Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1856376 - CVE-2020-7692 google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization 2034388 - CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method 2087606 - CVE-2022-22978 springframework: Authorization Bypass in RegexRequestMatcher 2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks 2134292 - CVE-2022-40151 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks 2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE 2164278 - CVE-2023-24422 jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin 2170039 - CVE-2023-25761 jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin 2170041 - CVE-2023-25762 jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin 2172298 - CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts 2177630 - CVE-2023-27902 Jenkins: Workspace temporary directories accessible through directory browser 2177634 - CVE-2023-27904 Jenkins: Information disclosure through error stack traces related to agents 2177638 - CVE-2023-27900 Jenkins: Denial of Service attack 2177646 - CVE-2023-27901 Jenkins: Denial of Service attack 2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode 6. JIRA issues fixed (https://issues.jboss.org/): PITEAM-10 - Release 4.13 Jenkins agent image PITEAM-9 - Release 4.13 Jenkins image 7. Package List: OpenShift Developer Tools and Services for OCP 4.13 for RHEL 8: Source: jenkins-2-plugins-4.13.1684911916-1.el8.src.rpm jenkins-2.387.3.1684911776-3.el8.src.rpm noarch: jenkins-2-plugins-4.13.1684911916-1.el8.noarch.rpm jenkins-2.387.3.1684911776-3.el8.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2020-7692 https://access.redhat.com/security/cve/CVE-2021-4178 https://access.redhat.com/security/cve/CVE-2021-46877 https://access.redhat.com/security/cve/CVE-2022-22978 https://access.redhat.com/security/cve/CVE-2022-40151 https://access.redhat.com/security/cve/CVE-2022-40152 https://access.redhat.com/security/cve/CVE-2022-42889 https://access.redhat.com/security/cve/CVE-2023-24422 https://access.redhat.com/security/cve/CVE-2023-24998 https://access.redhat.com/security/cve/CVE-2023-25761 https://access.redhat.com/security/cve/CVE-2023-25762 https://access.redhat.com/security/cve/CVE-2023-27900 https://access.redhat.com/security/cve/CVE-2023-27901 https://access.redhat.com/security/cve/CVE-2023-27902 https://access.redhat.com/security/cve/CVE-2023-27904 https://access.redhat.com/security/updates/classification/#important 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZG5wWtzjgjWX9erEAQgFsg//YzF69fxifzUFd9jVJhsxmyAL5XcwVzke 0UWcIUOW50zakKhNb+2ka6V3wCt+PlLHhHheEAR0UqMdQ0JcdGMU+Er1P8IKB0Tu LdKoOBCgFdJ6aPpDD7dBMZaCd8pSYkqF/MVfFOoJKvH36M6AJKlAxSwWofGG3vI7 312EM3Mj2NFF79y3/EIKPjVRlz1pVYmXUtGNVe5R1+gXDbgyEv/e9w4pgUowxjTH KDFSsz4WVJJGj+GGWlKtI2JkfTGjGVcyEDZsFD+ppQbRJW/EBJtXXXKp30vu41WK s7Uw8rYJybFhvxdfHeOlchK++ep4NGDbCJHtB8ad45qckKpfHPPLQtvWX2VJw8YD 8Eej7F5mU7CzCD9vBdGuSFjXLPaJnQ9RBAgCO0dmT6zaFr2QJXyYR2qZLMKpL2JZ TP+Rx4cbPYD7WsFGEWiVBdPQHKVaghfda/7XO5Nk5g8KWZ55LwSYu5tJo/rQvNWS mAOk2B651gX3EvXzidlwPIhf0BVICxdfdDzq15bXINQtFvd8IN79Bn//vYa5yCZQ dO2qEc9nXIuObgjRgPeLs32qHsVP2FCiLbSq1RsT8S7PUQa/p7SZ+epq6c/HFnoT kO9UTUrJyXHL+4RKtlI6yyupuL0UfN0q44ewyzHPm2F7h+mnZVelTfUT9JFgFgnE Br5rCa9tQGQ= =/O17 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZG64YMkNZI30y1K9AQgdeRAAkH1KOzwRFUl3Q59mKGDF59tGpSd43QkT QpxgBp3DFeHJGHTdkDBkyQOkbR1Ake0hCQapJH313vykrT0OKtF/IjTy0c6VJFVP GtTrsAvd/Qy0TK9RfXc92RGMbIpQDmTtUNR7o5oIErCQpPGZOFF3NlxoGdHvLX3j Md7Qip9bEg/WSKFYqECijrMsYUXHO70Yueb96EUEEY6tQ7uuxZxGJlOS79g6KUYH hXUsJshC/ExiYkU0sZQaei2qMJ8IlBwFS79U/F+WQ7KWOvdBBJGNd5xJLn1PFEfp ojC2yq4UJ5gE6C+E/bWYlCJiHWz++k9leB3uAGRO/L3ZsfQRlwO7d90cWrDYjA8b XGBGzFjiUZPPI8ZyQ34WNg665jy67kNhNh19yX81FgKG+7EpWvHoloQ2V9PQkGBG /bsTmT8kryB7iDzzWhcqLToCvJtV29KMqJywRiQnFRDPOa+Rh0ndLokQ3+plAFLF h1uNXZDkVZKjiKi6MfSps+aBx3bF1wWJywGp1zgVucrKBHdpxHtcw3KXcIM8vlzb hooCHWjD5fGY233EWp5vxIM2b4zBUDMSo6GyaqGWVvu9EOROsg9BnARVeWZTUpV+ H4hniLuwPC+gAYSIZCQCdoYrYfQllBIk76PjQxJ9Y41ytNMae3pw1D+oPqOJp/k2 wuBl+pdLis8= =lo4D -----END PGP SIGNATURE-----