Operating System:

[RedHat]

Published:

25 May 2023

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2023.3025 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.3025
               jenkins and jenkins-2-plugins security update
                                25 May 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           jenkins and jenkins-2-plugins
Publisher:         Red Hat
Operating System:  Red Hat
Resolution:        Patch/Upgrade
CVE Names:         CVE-2023-27904 CVE-2023-27902 CVE-2023-27901
                   CVE-2023-27900 CVE-2023-25762 CVE-2023-25761
                   CVE-2023-24998 CVE-2023-24422 CVE-2022-42889
                   CVE-2022-40152 CVE-2022-40151 CVE-2022-22978
                   CVE-2021-46877 CVE-2021-4178 CVE-2020-7692

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2023:3299

Comment: CVSS (Max):  9.8 CVE-2022-42889 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: jenkins and jenkins-2-plugins security update
Advisory ID:       RHSA-2023:3299-01
Product:           OpenShift Developer Tools and Services
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3299
Issue date:        2023-05-24
CVE Names:         CVE-2020-7692 CVE-2021-4178 CVE-2021-46877 
                   CVE-2022-22978 CVE-2022-40151 CVE-2022-40152 
                   CVE-2022-42889 CVE-2023-24422 CVE-2023-24998 
                   CVE-2023-25761 CVE-2023-25762 CVE-2023-27900 
                   CVE-2023-27901 CVE-2023-27902 CVE-2023-27904 
=====================================================================

1. Summary:

An update for jenkins and jenkins-2-plugins is now available for OpenShift
Developer Tools and Services for OCP 4.13.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

OpenShift Developer Tools and Services for OCP 4.13 for RHEL 8 - noarch

3. Description:

Jenkins is a continuous integration server that monitors executions of
repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

* apache-commons-text: variable interpolation RCE (CVE-2022-42889)

* google-oauth-client: missing PKCE support in accordance with the RFC for
OAuth 2.0 for Native Apps can lead to improper authorization
(CVE-2020-7692)

* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script
Security Plugin (CVE-2023-24422)

* kubernetes-client: Insecure deserialization in unmarshalYaml method
(CVE-2021-4178)

* jackson-databind: Possible DoS if using JDK serialization to serialize
JsonNode (CVE-2021-46877)

* springframework: Authorization Bypass in RegexRequestMatcher
(CVE-2022-22978)

* xstream: Xstream to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40151)

* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40152)

* Apache Commons FileUpload: FileUpload DoS with excessive parts
(CVE-2023-24998)

* jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin
(CVE-2023-25761)

* jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in
Pipeline: Build Step Plugin (CVE-2023-25762)

* Jenkins: Denial of Service attack (CVE-2023-27900)

* Jenkins: Denial of Service attack (CVE-2023-27901)

* Jenkins: Workspace temporary directories accessible through directory
browser (CVE-2023-27902)

* Jenkins: Information disclosure through error stack traces related to
agents (CVE-2023-27904)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1856376 - CVE-2020-7692 google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization
2034388 - CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method
2087606 - CVE-2022-22978 springframework: Authorization Bypass in RegexRequestMatcher
2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks
2134292 - CVE-2022-40151 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks
2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE
2164278 - CVE-2023-24422 jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin
2170039 - CVE-2023-25761 jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin
2170041 - CVE-2023-25762 jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin
2172298 - CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts
2177630 - CVE-2023-27902 Jenkins: Workspace temporary directories accessible through directory browser
2177634 - CVE-2023-27904 Jenkins: Information disclosure through error stack traces related to agents
2177638 - CVE-2023-27900 Jenkins: Denial of Service attack
2177646 - CVE-2023-27901 Jenkins: Denial of Service attack
2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode

6. JIRA issues fixed (https://issues.jboss.org/):

PITEAM-10 - Release 4.13 Jenkins agent image
PITEAM-9 - Release 4.13 Jenkins image

7. Package List:

OpenShift Developer Tools and Services for OCP 4.13 for RHEL 8:

Source:
jenkins-2-plugins-4.13.1684911916-1.el8.src.rpm
jenkins-2.387.3.1684911776-3.el8.src.rpm

noarch:
jenkins-2-plugins-4.13.1684911916-1.el8.noarch.rpm
jenkins-2.387.3.1684911776-3.el8.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2020-7692
https://access.redhat.com/security/cve/CVE-2021-4178
https://access.redhat.com/security/cve/CVE-2021-46877
https://access.redhat.com/security/cve/CVE-2022-22978
https://access.redhat.com/security/cve/CVE-2022-40151
https://access.redhat.com/security/cve/CVE-2022-40152
https://access.redhat.com/security/cve/CVE-2022-42889
https://access.redhat.com/security/cve/CVE-2023-24422
https://access.redhat.com/security/cve/CVE-2023-24998
https://access.redhat.com/security/cve/CVE-2023-25761
https://access.redhat.com/security/cve/CVE-2023-25762
https://access.redhat.com/security/cve/CVE-2023-27900
https://access.redhat.com/security/cve/CVE-2023-27901
https://access.redhat.com/security/cve/CVE-2023-27902
https://access.redhat.com/security/cve/CVE-2023-27904
https://access.redhat.com/security/updates/classification/#important

9. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZG5wWtzjgjWX9erEAQgFsg//YzF69fxifzUFd9jVJhsxmyAL5XcwVzke
0UWcIUOW50zakKhNb+2ka6V3wCt+PlLHhHheEAR0UqMdQ0JcdGMU+Er1P8IKB0Tu
LdKoOBCgFdJ6aPpDD7dBMZaCd8pSYkqF/MVfFOoJKvH36M6AJKlAxSwWofGG3vI7
312EM3Mj2NFF79y3/EIKPjVRlz1pVYmXUtGNVe5R1+gXDbgyEv/e9w4pgUowxjTH
KDFSsz4WVJJGj+GGWlKtI2JkfTGjGVcyEDZsFD+ppQbRJW/EBJtXXXKp30vu41WK
s7Uw8rYJybFhvxdfHeOlchK++ep4NGDbCJHtB8ad45qckKpfHPPLQtvWX2VJw8YD
8Eej7F5mU7CzCD9vBdGuSFjXLPaJnQ9RBAgCO0dmT6zaFr2QJXyYR2qZLMKpL2JZ
TP+Rx4cbPYD7WsFGEWiVBdPQHKVaghfda/7XO5Nk5g8KWZ55LwSYu5tJo/rQvNWS
mAOk2B651gX3EvXzidlwPIhf0BVICxdfdDzq15bXINQtFvd8IN79Bn//vYa5yCZQ
dO2qEc9nXIuObgjRgPeLs32qHsVP2FCiLbSq1RsT8S7PUQa/p7SZ+epq6c/HFnoT
kO9UTUrJyXHL+4RKtlI6yyupuL0UfN0q44ewyzHPm2F7h+mnZVelTfUT9JFgFgnE
Br5rCa9tQGQ=
=/O17
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZG64YMkNZI30y1K9AQgdeRAAkH1KOzwRFUl3Q59mKGDF59tGpSd43QkT
QpxgBp3DFeHJGHTdkDBkyQOkbR1Ake0hCQapJH313vykrT0OKtF/IjTy0c6VJFVP
GtTrsAvd/Qy0TK9RfXc92RGMbIpQDmTtUNR7o5oIErCQpPGZOFF3NlxoGdHvLX3j
Md7Qip9bEg/WSKFYqECijrMsYUXHO70Yueb96EUEEY6tQ7uuxZxGJlOS79g6KUYH
hXUsJshC/ExiYkU0sZQaei2qMJ8IlBwFS79U/F+WQ7KWOvdBBJGNd5xJLn1PFEfp
ojC2yq4UJ5gE6C+E/bWYlCJiHWz++k9leB3uAGRO/L3ZsfQRlwO7d90cWrDYjA8b
XGBGzFjiUZPPI8ZyQ34WNg665jy67kNhNh19yX81FgKG+7EpWvHoloQ2V9PQkGBG
/bsTmT8kryB7iDzzWhcqLToCvJtV29KMqJywRiQnFRDPOa+Rh0ndLokQ3+plAFLF
h1uNXZDkVZKjiKi6MfSps+aBx3bF1wWJywGp1zgVucrKBHdpxHtcw3KXcIM8vlzb
hooCHWjD5fGY233EWp5vxIM2b4zBUDMSo6GyaqGWVvu9EOROsg9BnARVeWZTUpV+
H4hniLuwPC+gAYSIZCQCdoYrYfQllBIk76PjQxJ9Y41ytNMae3pw1D+oPqOJp/k2
wuBl+pdLis8=
=lo4D
-----END PGP SIGNATURE-----