-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Critical: OpenShift Developer Tools and Services for OCP 4.12 security update Advisory ID: RHSA-2023:1064-01 Product: OpenShift Developer Tools and Services Advisory URL: https://access.redhat.com/errata/RHSA-2023:1064 Issue date: 2023-03-06 CVE Names: CVE-2022-29047 CVE-2022-30952 CVE-2022-42003 CVE-2022-42004 CVE-2022-43401 CVE-2022-43402 CVE-2022-43403 CVE-2022-43404 CVE-2022-43405 CVE-2022-43406 CVE-2022-43407 CVE-2022-43408 CVE-2022-43409 CVE-2022-43410 CVE-2022-45047 ==================================================================== 1. Summary: An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8 - noarch 3. Description: Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Security Fix(es): * jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43401) * jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin (CVE-2022-43402) * jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43403) * jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43404) * jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin (CVE-2022-43405) * jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406) * Pipeline Shared Groovy Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin (CVE-2022-29047) * jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin (CVE-2022-43407) * mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047) * Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952) * jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003) * jackson-databind: use of deeply nested arrays (CVE-2022-42004) * jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin (CVE-2022-43408) * jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin (CVE-2022-43409) * jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin (CVE-2022-43410) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release: https://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html 5. Bugs fixed (https://bugzilla.redhat.com/): 2074855 - CVE-2022-29047 Pipeline Shared Groovy Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin 2119645 - CVE-2022-30952 Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin 2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS 2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays 2136369 - CVE-2022-43410 jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin 2136370 - CVE-2022-43406 jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin 2136374 - CVE-2022-43405 jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin 2136379 - CVE-2022-43402 jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin 2136381 - CVE-2022-43401 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin 2136382 - CVE-2022-43403 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin 2136383 - CVE-2022-43404 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin 2136386 - CVE-2022-43407 jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin 2136388 - CVE-2022-43408 jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin 2136391 - CVE-2022-43409 jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin 2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability 6. Package List: OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8: Source: jenkins-2-plugins-4.12.1675702407-1.el8.src.rpm jenkins-2.361.4.1675702346-3.el8.src.rpm noarch: jenkins-2-plugins-4.12.1675702407-1.el8.noarch.rpm jenkins-2.361.4.1675702346-3.el8.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-29047 https://access.redhat.com/security/cve/CVE-2022-30952 https://access.redhat.com/security/cve/CVE-2022-42003 https://access.redhat.com/security/cve/CVE-2022-42004 https://access.redhat.com/security/cve/CVE-2022-43401 https://access.redhat.com/security/cve/CVE-2022-43402 https://access.redhat.com/security/cve/CVE-2022-43403 https://access.redhat.com/security/cve/CVE-2022-43404 https://access.redhat.com/security/cve/CVE-2022-43405 https://access.redhat.com/security/cve/CVE-2022-43406 https://access.redhat.com/security/cve/CVE-2022-43407 https://access.redhat.com/security/cve/CVE-2022-43408 https://access.redhat.com/security/cve/CVE-2022-43409 https://access.redhat.com/security/cve/CVE-2022-43410 https://access.redhat.com/security/cve/CVE-2022-45047 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZAXcidzjgjWX9erEAQgupA//eFQlrAPyQGSP9g7NyP8IZknOMsnZ2NCn IQq00CAHWMdFgAGUHMNJZhOJ0eyS3iL4kSVgNSF0hIZgqh0tTT4ruJ7cujT4JApq ynrC7zUheiidSlQ70t0TAESlhIbUffw/VmdRmhXK8VU8P36718keuRO4t83PO/Rx eojx/uwQ7BIGBdhfU7RnQRbRu1AtiXSYTy40XUqk6sxdQ851ijs7iPd0HMGlbWgJ GyOCmKg7YyzUd52SG+YPFCxrhxwM+HNhX16+1xRIMzqPZiTzpaUBa9+27gUr8FyS GNbQ1kNd4TKE/EwNhUMjC/ILZLwsS57X1xeJwBKgjbScW1u1aM7hGaAc17i3HRZ2 KtbhjEE5bueCP7eck20HKjB746u4v6dysD+dzyDAnFLfVBA7VWH851TvhwR+UkjH PqWsWEx7b8SNwedTkb+oMoJbBB+XbjEUcxc9BxaZF7ntkUgACGiCruiCHYAYFxTV oa0cTQnjlgDIQLfxqvv9NNKEZ4SqG66kHM6AdxhYGa33FH8mN2pOgmOvLV4TzB+O M1HlgiO1OpXuyQ5u0Jc5j5A5onGlS7QPzQD7S4bDRxLlCnvkstiLMmgs0JT4ncGx lcy9D7Fv92rc2bFQB5fYELikR+JSjICgkwnOJsRq9c3W7Ii5OFKieSS1EUwli2/o fWzJftH69Ds=RJgw -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce