Issued:: 2020-11-17
Updated:: 2020-11-17

RHSA-2020:5102 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: OpenShift Container Platform 3.11.318 jenkins-2-plugins security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for jenkins-2-plugins is now available for Red Hat OpenShift Container Platform 3.11.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

Security Fix(es):

jenkins-2-plugins/mailer: Missing hostname validation in Mailer Plugin could result in MITM (CVE-2020-2252)
jenkins-2-plugins/blueocean: Path traversal vulnerability in Blue Ocean Plugin could allow to read arbitrary files (CVE-2020-2254)
jenkins-2-plugins/blueocean: Blue Ocean Plugin does not perform permission checks in several HTTP endpoints implementing connection tests (CVE-2020-2255)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

See the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully
apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258.

Affected Products

Red Hat OpenShift Container Platform 3.11 x86_64
Red Hat OpenShift Container Platform for Power 3.11 ppc64le

Fixes

BZ - 1880454 - CVE-2020-2252 jenkins-2-plugins/mailer: Missing hostname validation in Mailer Plugin could result in MITM
BZ - 1880456 - CVE-2020-2254 jenkins-2-plugins/blueocean: Path traversal vulnerability in Blue Ocean Plugin could allow to read arbitrary files
BZ - 1880460 - CVE-2020-2255 jenkins-2-plugins/blueocean: Blue Ocean Plugin does not perform permission checks in several HTTP endpoints implementing connection tests.

CVEs

References

https://access.redhat.com/security/updates/classification/#moderate

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenShift Container Platform 3.11

SRPM
jenkins-2-plugins-3.11.1603460090-1.el7.src.rpm	SHA-256: 5402cb8fb8f236f43951843b506ddd26af98876448e2bafc72988091938f986f
x86_64
jenkins-2-plugins-3.11.1603460090-1.el7.noarch.rpm	SHA-256: d7913bc35a6503107ec19d3c7fe78afe3e3ec6b80c31e3084dd41555d3e00e36

Red Hat OpenShift Container Platform for Power 3.11

SRPM
jenkins-2-plugins-3.11.1603460090-1.el7.src.rpm	SHA-256: 5402cb8fb8f236f43951843b506ddd26af98876448e2bafc72988091938f986f
ppc64le
jenkins-2-plugins-3.11.1603460090-1.el7.noarch.rpm	SHA-256: d7913bc35a6503107ec19d3c7fe78afe3e3ec6b80c31e3084dd41555d3e00e36
jenkins-2-plugins-3.11.1603460090-1.el7.noarch.rpm	SHA-256: d7913bc35a6503107ec19d3c7fe78afe3e3ec6b80c31e3084dd41555d3e00e36

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation