-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Critical: jenkins and jenkins-2-plugins security update Advisory ID: RHSA-2023:3198-01 Product: OpenShift Developer Tools and Services Advisory URL: https://access.redhat.com/errata/RHSA-2023:3198 Issue date: 2023-05-17 CVE Names: CVE-2021-26291 CVE-2022-1471 CVE-2022-25857 CVE-2022-29599 CVE-2022-30953 CVE-2022-30954 CVE-2022-42889 CVE-2022-43401 CVE-2022-43402 CVE-2022-43403 CVE-2022-43404 CVE-2022-43405 CVE-2022-43406 CVE-2022-43407 CVE-2022-43408 CVE-2022-43409 CVE-2022-45047 CVE-2023-24422 CVE-2023-25761 CVE-2023-25762 CVE-2023-27903 CVE-2023-27904 ==================================================================== 1. Summary: An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.11. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8 - noarch 3. Description: Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Security Fix(es): * apache-commons-text: variable interpolation RCE (CVE-2022-42889) * jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43401) * jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin (CVE-2022-43402) * jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43403) * jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43404) * jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin (CVE-2022-43405) * jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406) * maven: Block repositories using http by default (CVE-2021-26291) * SnakeYaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471) * snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857) * maven-shared-utils: Command injection via Commandline class (CVE-2022-29599) * jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin (CVE-2022-43407) * mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047) * jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422) * Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953) * Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954) * jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin (CVE-2022-43408) * jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin (CVE-2022-43409) * jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761) * jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762) * Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903) * Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1955739 - CVE-2021-26291 maven: Block repositories using http by default 2066479 - CVE-2022-29599 maven-shared-utils: Command injection via Commandline class 2119646 - CVE-2022-30953 Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin 2119647 - CVE-2022-30954 Jenkins plugin: missing permission checks in Blue Ocean Plugin 2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections 2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE 2136370 - CVE-2022-43406 jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin 2136374 - CVE-2022-43405 jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin 2136379 - CVE-2022-43402 jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin 2136381 - CVE-2022-43401 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin 2136382 - CVE-2022-43403 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin 2136383 - CVE-2022-43404 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin 2136386 - CVE-2022-43407 jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin 2136388 - CVE-2022-43408 jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin 2136391 - CVE-2022-43409 jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin 2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability 2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution 2164278 - CVE-2023-24422 jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin 2170039 - CVE-2023-25761 jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin 2170041 - CVE-2023-25762 jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin 2177632 - CVE-2023-27903 Jenkins: Temporary file parameter created with insecure permissions 2177634 - CVE-2023-27904 Jenkins: Information disclosure through error stack traces related to agents 6. Package List: OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8: Source: jenkins-2-plugins-4.11.1683009941-1.el8.src.rpm jenkins-2.387.1.1683009763-3.el8.src.rpm noarch: jenkins-2-plugins-4.11.1683009941-1.el8.noarch.rpm jenkins-2.387.1.1683009763-3.el8.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-26291 https://access.redhat.com/security/cve/CVE-2022-1471 https://access.redhat.com/security/cve/CVE-2022-25857 https://access.redhat.com/security/cve/CVE-2022-29599 https://access.redhat.com/security/cve/CVE-2022-30953 https://access.redhat.com/security/cve/CVE-2022-30954 https://access.redhat.com/security/cve/CVE-2022-42889 https://access.redhat.com/security/cve/CVE-2022-43401 https://access.redhat.com/security/cve/CVE-2022-43402 https://access.redhat.com/security/cve/CVE-2022-43403 https://access.redhat.com/security/cve/CVE-2022-43404 https://access.redhat.com/security/cve/CVE-2022-43405 https://access.redhat.com/security/cve/CVE-2022-43406 https://access.redhat.com/security/cve/CVE-2022-43407 https://access.redhat.com/security/cve/CVE-2022-43408 https://access.redhat.com/security/cve/CVE-2022-43409 https://access.redhat.com/security/cve/CVE-2022-45047 https://access.redhat.com/security/cve/CVE-2023-24422 https://access.redhat.com/security/cve/CVE-2023-25761 https://access.redhat.com/security/cve/CVE-2023-25762 https://access.redhat.com/security/cve/CVE-2023-27903 https://access.redhat.com/security/cve/CVE-2023-27904 https://access.redhat.com/security/updates/classification/#critical https://docs.openshift.com/container-platform/4.11/cicd/jenkins/important-changes-to-openshift-jenkins-images.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZGVo+dzjgjWX9erEAQgCdg/+IfIH6hD3NmjhrGatJzY4DSsfeYr/bJnq CxON2U3udg0nEDneRvTKVfiArUsVlLX/arKrcc8u3jqZCsXvyaVCFN/JSXC+ifpm 7WEp28y9nYwIpKeMb9fAUEJY4PFSIgZhFQkrDc/JNjhK26+yUWN+nWRoqHkyhypu FNa7QpADpT+iFv4rBBfQO/4RjckOOny5YuIpYtOH5GfPvaBBLRmbmcOTxzioa8ld L3bJLG59yXIxr48TCiVMF8GDljAT0AC+8TxdT5g9PQra9H3/L+UD00DkwaoTFqZy ps4p18Si9o7NplLXIDhYImLJh85Q20Qid25MgP74Zuchtuhx+dEH22F3KO94qYW4 KY1eeWH0zYf2TsKtmMrVXcxedIeNhqee6zYOYNB8HSqLKGmaYqcTKEHv2fDMgciN qwWm4GtqZ5u0BJ3sDgULn+VBFez4/CkRkaCFPLNoZW3D3pdbxz/JypGEni7KBykp /6aGktthf9e7F2AvPEsgiactU+6L05v1XE2U2OCwQBw4/82zy04cHbXaLzQbrh0o VsyDR2/tsa96yJe4glzQXK2Dghsoggo27W68rClyd/7HdwfEZy7J934oIctvJEY+ 24mlKN5L48QSDNEoJeSo2YtdnsFH5BxxK8hdxE5V1paWrX9ZdErk2tdUBWC8EnL3 qyiIXJnAaKMÑKg -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce