RHSA-2023:6172 - Security Advisory

Topic

An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.12.
Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

CVE-2023-27904 jenkins: Information disclosure through error stack traces related to agents
CVE-2023-27903 jenkins: Temporary file parameter created with insecure permissions
CVE-2023-25762 jenkins-2-plugins: jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin
CVE-2023-25761 jenkins-2-plugins: jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin
CVE-2022-25857 jenkins-2-plugins: snakeyaml: Denial of Service due to missing nested depth limitation for collections
CVE-2022-42889 jenkins-2-plugins: apache-commons-text: variable interpolation RCE
CVE-2020-7692 jenkins-2-plugins: google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization
CVE-2023-24422 jenkins-2-plugins: jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin
CVE-2023-25761 jenkins-2-plugins: jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin
CVE-2023-25762 jenkins-2-plugins: jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin
CVE-2022-42889 jenkins-2-plugins: apache-commons-text: variable interpolation RCE
CVE-2022-29599 jenkins-2-plugins: maven-shared-utils: Command injection via Commandline class
CVE-2023-39325 openshift-jenkins-2-container: golang: net/http, x/net/http2: rapid stream resets can cause excessive work

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• OpenShift Developer Tools and Services 4.12 x86_64
• OpenShift Developer Tools and Services 4.12 s390x
• OpenShift Developer Tools and Services 4.12 ppc64le
• OpenShift Developer Tools and Services 4.12 aarch64

Fixes

• BZ - 2136374 - CVE-2022-43405 jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin
• BZ - 2136386 - CVE-2022-43407 jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin
• BZ - 2136388 - CVE-2022-43408 jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin
• BZ - 2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability

CVEs

• CVE-2020-7692
• CVE-2022-25857
• CVE-2022-29599
• CVE-2022-42889
• CVE-2023-24422
• CVE-2023-25761
• CVE-2023-25762
• CVE-2023-27903
• CVE-2023-27904
• CVE-2023-39325

References

• https://access.redhat.com/security/updates/classification/#critical