Issued:: 2020-03-26
Updated:: 2020-03-26

RHSA-2020:0964 - Security Advisory

Overview
Updated Packages

Synopsis

Important: OpenShift Container Platform 3.11 jenkins-2-plugins security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for jenkins-2-plugins is now available for Red Hat OpenShift Container Platform 3.11.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

openshift/jenkins-plugin: Deserialization in snakeyaml YAML() objects allowed for remote code execution (CVE-2020-2167)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

See the following documentation, which will be updated shortly for release
3.11.188, for important instructions on how to upgrade your cluster and fully
apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258.

Affected Products

Red Hat OpenShift Container Platform 3.11 x86_64
Red Hat OpenShift Container Platform for Power 3.11 ppc64le

Fixes

BZ - 1816433 - CVE-2020-2167 openshift/jenkins-plugin: Deserialization in snakeyaml YAML() objects allows for remote code execution

CVEs

CVE-2020-2167

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenShift Container Platform 3.11

SRPM
jenkins-2-plugins-3.11.1585050035-1.el7.src.rpm	SHA-256: cdc940f124f3e045573476fe4d3cbf16d409de1585587de2a2c48df4aec90ac3
jenkins-2.204.2.1585048146-1.el7.src.rpm	SHA-256: efcb73b01b18b9f6f7077ca742b70d3d90a0e71742db742d2c367a9a73e8f199
x86_64
jenkins-2-plugins-3.11.1585050035-1.el7.noarch.rpm	SHA-256: f26b46149379991b495ef9880692d07f3db503f47b9d3de8c777834a0291c810
jenkins-2.204.2.1585048146-1.el7.noarch.rpm	SHA-256: 64950fa961ca06f4e6a6ffd00fab0abf6f6715500f34ecd172f52428cae6e433

Red Hat OpenShift Container Platform for Power 3.11

SRPM
jenkins-2-plugins-3.11.1585050035-1.el7.src.rpm	SHA-256: cdc940f124f3e045573476fe4d3cbf16d409de1585587de2a2c48df4aec90ac3
jenkins-2.204.2.1585048146-1.el7.src.rpm	SHA-256: efcb73b01b18b9f6f7077ca742b70d3d90a0e71742db742d2c367a9a73e8f199
ppc64le
jenkins-2-plugins-3.11.1585050035-1.el7.noarch.rpm	SHA-256: f26b46149379991b495ef9880692d07f3db503f47b9d3de8c777834a0291c810
jenkins-2-plugins-3.11.1585050035-1.el7.noarch.rpm	SHA-256: f26b46149379991b495ef9880692d07f3db503f47b9d3de8c777834a0291c810
jenkins-2.204.2.1585048146-1.el7.noarch.rpm	SHA-256: 64950fa961ca06f4e6a6ffd00fab0abf6f6715500f34ecd172f52428cae6e433
jenkins-2.204.2.1585048146-1.el7.noarch.rpm	SHA-256: 64950fa961ca06f4e6a6ffd00fab0abf6f6715500f34ecd172f52428cae6e433

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation