-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: jenkins and jenkins-2-plugins security update Advisory ID: RHSA-2023:3299-01 Product: OpenShift Developer Tools and Services Advisory URL: https://access.redhat.com/errata/RHSA-2023:3299 Issue date: 2023-05-24 CVE Names: CVE-2020-7692 CVE-2021-4178 CVE-2021-46877 CVE-2022-22978 CVE-2022-40151 CVE-2022-40152 CVE-2022-42889 CVE-2023-24422 CVE-2023-24998 CVE-2023-25761 CVE-2023-25762 CVE-2023-27900 CVE-2023-27901 CVE-2023-27902 CVE-2023-27904 ===================================================================== 1. Summary: An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: OpenShift Developer Tools and Services for OCP 4.13 for RHEL 8 - noarch 3. Description: Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Security Fix(es): * apache-commons-text: variable interpolation RCE (CVE-2022-42889) * google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization (CVE-2020-7692) * jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422) * kubernetes-client: Insecure deserialization in unmarshalYaml method (CVE-2021-4178) * jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877) * springframework: Authorization Bypass in RegexRequestMatcher (CVE-2022-22978) * xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40151) * woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152) * Apache Commons FileUpload: FileUpload DoS with excessive parts (CVE-2023-24998) * jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761) * jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762) * Jenkins: Denial of Service attack (CVE-2023-27900) * Jenkins: Denial of Service attack (CVE-2023-27901) * Jenkins: Workspace temporary directories accessible through directory browser (CVE-2023-27902) * Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1856376 - CVE-2020-7692 google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization 2034388 - CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method 2087606 - CVE-2022-22978 springframework: Authorization Bypass in RegexRequestMatcher 2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks 2134292 - CVE-2022-40151 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks 2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE 2164278 - CVE-2023-24422 jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin 2170039 - CVE-2023-25761 jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin 2170041 - CVE-2023-25762 jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin 2172298 - CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts 2177630 - CVE-2023-27902 Jenkins: Workspace temporary directories accessible through directory browser 2177634 - CVE-2023-27904 Jenkins: Information disclosure through error stack traces related to agents 2177638 - CVE-2023-27900 Jenkins: Denial of Service attack 2177646 - CVE-2023-27901 Jenkins: Denial of Service attack 2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode 6. JIRA issues fixed (https://issues.jboss.org/): PITEAM-10 - Release 4.13 Jenkins agent image PITEAM-9 - Release 4.13 Jenkins image 7. Package List: OpenShift Developer Tools and Services for OCP 4.13 for RHEL 8: Source: jenkins-2-plugins-4.13.1684911916-1.el8.src.rpm jenkins-2.387.3.1684911776-3.el8.src.rpm noarch: jenkins-2-plugins-4.13.1684911916-1.el8.noarch.rpm jenkins-2.387.3.1684911776-3.el8.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2020-7692 https://access.redhat.com/security/cve/CVE-2021-4178 https://access.redhat.com/security/cve/CVE-2021-46877 https://access.redhat.com/security/cve/CVE-2022-22978 https://access.redhat.com/security/cve/CVE-2022-40151 https://access.redhat.com/security/cve/CVE-2022-40152 https://access.redhat.com/security/cve/CVE-2022-42889 https://access.redhat.com/security/cve/CVE-2023-24422 https://access.redhat.com/security/cve/CVE-2023-24998 https://access.redhat.com/security/cve/CVE-2023-25761 https://access.redhat.com/security/cve/CVE-2023-25762 https://access.redhat.com/security/cve/CVE-2023-27900 https://access.redhat.com/security/cve/CVE-2023-27901 https://access.redhat.com/security/cve/CVE-2023-27902 https://access.redhat.com/security/cve/CVE-2023-27904 https://access.redhat.com/security/updates/classification/#important 9. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZG5wWtzjgjWX9erEAQgFsg//YzF69fxifzUFd9jVJhsxmyAL5XcwVzke 0UWcIUOW50zakKhNb+2ka6V3wCt+PlLHhHheEAR0UqMdQ0JcdGMU+Er1P8IKB0Tu LdKoOBCgFdJ6aPpDD7dBMZaCd8pSYkqF/MVfFOoJKvH36M6AJKlAxSwWofGG3vI7 312EM3Mj2NFF79y3/EIKPjVRlz1pVYmXUtGNVe5R1+gXDbgyEv/e9w4pgUowxjTH KDFSsz4WVJJGj+GGWlKtI2JkfTGjGVcyEDZsFD+ppQbRJW/EBJtXXXKp30vu41WK s7Uw8rYJybFhvxdfHeOlchK++ep4NGDbCJHtB8ad45qckKpfHPPLQtvWX2VJw8YD 8Eej7F5mU7CzCD9vBdGuSFjXLPaJnQ9RBAgCO0dmT6zaFr2QJXyYR2qZLMKpL2JZ TP+Rx4cbPYD7WsFGEWiVBdPQHKVaghfda/7XO5Nk5g8KWZ55LwSYu5tJo/rQvNWS mAOk2B651gX3EvXzidlwPIhf0BVICxdfdDzq15bXINQtFvd8IN79Bn//vYa5yCZQ dO2qEc9nXIuObgjRgPeLs32qHsVP2FCiLbSq1RsT8S7PUQa/p7SZ+epq6c/HFnoT kO9UTUrJyXHL+4RKtlI6yyupuL0UfN0q44ewyzHPm2F7h+mnZVelTfUT9JFgFgnE Br5rCa9tQGQ= =/O17 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce