- Issued:
- 2023-10-30
- Updated:
- 2023-10-30
RHSA-2023:6172 - Security Advisory
Synopsis
Critical: Red Hat Product OCP Tools 4.12 Openshift Jenkins security update
Type/Severity
Security Advisory: Critical
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.12.
Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
CVE-2023-27904 jenkins: Information disclosure through error stack traces related to agents
CVE-2023-27903 jenkins: Temporary file parameter created with insecure permissions
CVE-2023-25762 jenkins-2-plugins: jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin
CVE-2023-25761 jenkins-2-plugins: jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin
CVE-2022-25857 jenkins-2-plugins: snakeyaml: Denial of Service due to missing nested depth limitation for collections
CVE-2022-42889 jenkins-2-plugins: apache-commons-text: variable interpolation RCE
CVE-2020-7692 jenkins-2-plugins: google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization
CVE-2023-24422 jenkins-2-plugins: jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin
CVE-2023-25761 jenkins-2-plugins: jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin
CVE-2023-25762 jenkins-2-plugins: jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin
CVE-2022-42889 jenkins-2-plugins: apache-commons-text: variable interpolation RCE
CVE-2022-29599 jenkins-2-plugins: maven-shared-utils: Command injection via Commandline class
CVE-2023-39325 openshift-jenkins-2-container: golang: net/http, x/net/http2: rapid stream resets can cause excessive work
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
Affected Products
- OpenShift Developer Tools and Services 4.12 x86_64
- OpenShift Developer Tools and Services 4.12 s390x
- OpenShift Developer Tools and Services 4.12 ppc64le
- OpenShift Developer Tools and Services 4.12 aarch64
Fixes
- BZ - 2136374 - CVE-2022-43405 jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin
- BZ - 2136386 - CVE-2022-43407 jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin
- BZ - 2136388 - CVE-2022-43408 jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin
- BZ - 2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability
CVEs
OpenShift Developer Tools and Services 4.12
SRPM | |
---|---|
jenkins-2-plugins-4.12.1698294000-1.el8.src.rpm | SHA-256: dcb3a7faad02f8718b52c4c9bd2a62afd0304c909b2828441a9dceb6617de226 |
jenkins-2.414.3.1698293911-3.el8.src.rpm | SHA-256: dba8caf2a4b181df09f487825e267952f02bedaf37b5d017ccecea206f490b3b |
x86_64 | |
jenkins-2-plugins-4.12.1698294000-1.el8.noarch.rpm | SHA-256: aac35443503a10cd67a58d00ff9d1312448254d736264d192c40f3f4a9ee90bf |
jenkins-2.414.3.1698293911-3.el8.noarch.rpm | SHA-256: 76cd40063df46cd04eefdf85a4c10c806fa38912e8eee12ed3a84a6606b790af |
s390x | |
jenkins-2-plugins-4.12.1698294000-1.el8.noarch.rpm | SHA-256: aac35443503a10cd67a58d00ff9d1312448254d736264d192c40f3f4a9ee90bf |
jenkins-2.414.3.1698293911-3.el8.noarch.rpm | SHA-256: 76cd40063df46cd04eefdf85a4c10c806fa38912e8eee12ed3a84a6606b790af |
ppc64le | |
jenkins-2-plugins-4.12.1698294000-1.el8.noarch.rpm | SHA-256: aac35443503a10cd67a58d00ff9d1312448254d736264d192c40f3f4a9ee90bf |
jenkins-2.414.3.1698293911-3.el8.noarch.rpm | SHA-256: 76cd40063df46cd04eefdf85a4c10c806fa38912e8eee12ed3a84a6606b790af |
aarch64 | |
jenkins-2-plugins-4.12.1698294000-1.el8.noarch.rpm | SHA-256: aac35443503a10cd67a58d00ff9d1312448254d736264d192c40f3f4a9ee90bf |
jenkins-2.414.3.1698293911-3.el8.noarch.rpm | SHA-256: 76cd40063df46cd04eefdf85a4c10c806fa38912e8eee12ed3a84a6606b790af |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.