- Issued:
- 2024-08-14
- Updated:
- 2024-08-14
RHSA-2024:5406 - Security Advisory
Synopsis
Critical: Red Hat Product OCP Tools 4.13 OpenShift Jenkins security update
Type/Severity
Security Advisory: Critical
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update for OpenShift Jenkins is now available for Red Hat Product OCP Tools 4.13.
Red Hat Product Security has rated this update as having a security impact of critical.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating,
is available for each vulnerability from the CVE link(s) in the References section.
Description
Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
- jenkins: Arbitrary file read vulnerability through agent connections can lead to RCE (CVE-2024-43044)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
Affected Products
- OpenShift Developer Tools and Services 4.13 x86_64
- OpenShift Developer Tools and Services 4.13 s390x
- OpenShift Developer Tools and Services 4.13 ppc64le
- OpenShift Developer Tools and Services 4.13 aarch64
Fixes
- BZ - 2136374 - CVE-2022-43405 jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin
- BZ - 2136386 - CVE-2022-43407 jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin
- BZ - 2136388 - CVE-2022-43408 jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin
- BZ - 2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability
- BZ - 2303466 - CVE-2024-43044 jenkins: Arbitrary file read vulnerability through agent connections can lead to RCE
- JKNS-271 - Automate Polarion integration for smoke test
- JKNS-289 - Draft Knowledgebase article for Jenkins out of payload
- JKNS-397 - USE_JAVA_VERSION doesn't work in ocp-tools-4/jenkins-agent-base-rhel8:v4.13.0
- JKNS-398 - [4.15] Jenkins Initial Release
- OCPBUGS-10934 - Bump Jenkins to 2.387.1
- OCPBUGS-11158 - Mailer Plugin (mailer) has breaking changes in newest version
- OCPBUGS-11329 - Mailer Plugin (mailer) has breaking changes in newest version
- OCPBUGS-11446 - Update config-file-provider to fix plugin dependency issue
- OCPBUGS-11452 - Update config-file-provider to fix plugin dependency issue
- OCPBUGS-1357 - Jenkins install-plugins script does not ignore updates to locked plugin versions
- OCPBUGS-13651 - [release-4.13] Bump Jenkins and Plugin versions
- OCPBUGS-13870 - [release-4.13] Bump Jenkins Plugins to latest version
- OCPBUGS-14112 - Update ImageStreams to use new Jenkins and Jenkins Agent Base images
- OCPBUGS-14311 - Bump Jenkins Plugins to latest version
- OCPBUGS-14634 - Bump Jenkins plugins to latest versions
- OCPBUGS-15647 - [release-4.13] Update ImageStreams to use new Jenkins and Jenkins Agent Base images
- OCPBUGS-15986 - Failure in periodic-ci-openshift-jenkins-release-4.13-jenkins-hypershift4.13-aws-jenkins-lp-rosa-hypershift, 07-10-2023
- OCPBUGS-1709 - Align javax-mail-api with Jenkins Server 2.361.1
- OCPBUGS-1942 - Bump Jenkins version to 2.361.1
- OCPBUGS-2099 - Fix sshd embedded version
- OCPBUGS-2184 - Update jenkins-client, jenkins-sync and openshift-login plugin to latest versions
- OCPBUGS-2318 - Release and update client, sync and login plugins
- OCPBUGS-27389 - release-4.13 - Bump Jenkins Plugin Versions and Go Dependencies
- OCPBUGS-28962 - openshift/jenkins - replace 'coreydaley' with 'sayan-biswas' in OWNERS file
- OCPBUGS-655 - Update blueocean-autofavorite to 1.2.5
- OCPBUGS-6579 - update sample imagestreams with latest 4.11 image
- OCPBUGS-6870 - Bump Jenkins to 2.361.4
- OCPBUGS-710 - Add user coreydaley to list of approvers for openshift/jenkins
- OCPBUGS-8377 - Update Go to v1.19
- OCPBUGS-8442 - Jenkins images based on rhel8 are wrongly tagged with rhel7
- OCPTOOLS-245 - Bump Jenkins version to 2.414.3 [openshift-4.13]
CVEs
Note:
More recent versions of these packages may be available.
Click a package name for more details.
OpenShift Developer Tools and Services 4.13
| SRPM | |
|---|---|
| jenkins-2-plugins-4.13.1723446018-1.el8.src.rpm | SHA-256: 458454156f43d3d8a8d83be9c3282f4984a20fa337a6f0be7f11209348ce1066 |
| jenkins-2.462.1.1723445923-3.el8.src.rpm | SHA-256: 459a0aa2636ea501cef7fc729b17f0e52e6f59c95048ff3ca6f50ba0b2d87a80 |
| x86_64 | |
| jenkins-2-plugins-4.13.1723446018-1.el8.noarch.rpm | SHA-256: 7f3bd700704c5282bd32374515984cde63e0492777c19435d9f282719c6f22ed |
| jenkins-2.462.1.1723445923-3.el8.noarch.rpm | SHA-256: 876b8f0fb2d98fe7058bee332e6c081dc175f0606c6121bb93d18f0241e6957d |
| s390x | |
| jenkins-2-plugins-4.13.1723446018-1.el8.noarch.rpm | SHA-256: 7f3bd700704c5282bd32374515984cde63e0492777c19435d9f282719c6f22ed |
| jenkins-2.462.1.1723445923-3.el8.noarch.rpm | SHA-256: 876b8f0fb2d98fe7058bee332e6c081dc175f0606c6121bb93d18f0241e6957d |
| ppc64le | |
| jenkins-2-plugins-4.13.1723446018-1.el8.noarch.rpm | SHA-256: 7f3bd700704c5282bd32374515984cde63e0492777c19435d9f282719c6f22ed |
| jenkins-2.462.1.1723445923-3.el8.noarch.rpm | SHA-256: 876b8f0fb2d98fe7058bee332e6c081dc175f0606c6121bb93d18f0241e6957d |
| aarch64 | |
| jenkins-2-plugins-4.13.1723446018-1.el8.noarch.rpm | SHA-256: 7f3bd700704c5282bd32374515984cde63e0492777c19435d9f282719c6f22ed |
| jenkins-2.462.1.1723445923-3.el8.noarch.rpm | SHA-256: 876b8f0fb2d98fe7058bee332e6c081dc175f0606c6121bb93d18f0241e6957d |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
