RedHat: RHSA-2020-3541:01 Important: OpenShift Container Platform 3.11
Summary
Jenkins is a continuous integration server that monitors executions of
repeated jobs, such as building a software project or jobs run by cron. The
Matrix Project is a module which handles creating Jenkins
multi-configuration projects (matrix projects). Matrix Authorization allows
configuring the lowest level permissions, such as starting new builds,
configuring items, or deleting them, individually.
Python-RSA is a RSA implementation in Python. It can be used as a Python
library as well as the commandline utility.
Ansible is a SSH-based configuration management, deployment, and task
execution system. The openshift-ansible packages contain Ansible code and
playbooks for installing and upgrading OpenShift Container Platform 3.
Security Fix(es):
* jenkins: Stored XSS vulnerability in job build time trend (CVE-2020-2220)
* jenkins: Stored XSS vulnerability in upstream cause (CVE-2020-2221)
* jenkins: Stored XSS vulnerability in 'keep forever' badge icons
(CVE-2020-2222)
* jenkins: Stored XSS vulnerability in console links (CVE-2020-2223)
* jenkins-2-plugins/matrix-project: Stored XSS vulnerability in single axis
builds tooltips (CVE-2020-2224)
* jenkins-2-plugins/matrix-project: Stored XSS vulnerability in multiple
axis builds tooltips (CVE-2020-2225)
* jenkins-2-plugins/matrix-auth: Stored XSS vulnerability in Matrix
Authorization Strategy Plugin (CVE-2020-2226)
* jenkins-jira-plugin: plugin information disclosure (CVE-2019-16541)
* python-rsa: decryption of ciphertext leads to DoS (CVE-2020-13757)
* openshift-ansible: cors allowed origin allows changing url protocol
(CVE-2020-1741)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Summary
Solution
See the following documentation, which will be updated shortly for release
3.11.272, for important instructions on how to upgrade your cluster and
fully
apply this asynchronous errata update:
https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258.
References
https://access.redhat.com/security/cve/CVE-2019-16541 https://access.redhat.com/security/cve/CVE-2020-1741 https://access.redhat.com/security/cve/CVE-2020-2220 https://access.redhat.com/security/cve/CVE-2020-2221 https://access.redhat.com/security/cve/CVE-2020-2222 https://access.redhat.com/security/cve/CVE-2020-2223 https://access.redhat.com/security/cve/CVE-2020-2224 https://access.redhat.com/security/cve/CVE-2020-2225 https://access.redhat.com/security/cve/CVE-2020-2226 https://access.redhat.com/security/cve/CVE-2020-13757 https://access.redhat.com/security/updates/classification/#important
Package List
Red Hat OpenShift Container Platform 3.11:
Source:
jenkins-2-plugins-3.11.1597310986-1.el7.src.rpm
jenkins-2.235.2.1597220898-1.el7.src.rpm
openshift-ansible-3.11.272-1.git.0.79ab6e9.el7.src.rpm
python-rsa-4.5-2.el7.src.rpm
noarch:
jenkins-2-plugins-3.11.1597310986-1.el7.noarch.rpm
jenkins-2.235.2.1597220898-1.el7.noarch.rpm
openshift-ansible-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm
openshift-ansible-docs-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm
openshift-ansible-playbooks-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm
openshift-ansible-roles-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm
openshift-ansible-test-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm
python2-rsa-4.5-2.el7.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
Topic
An update for jenkins, jenkins-2-plugins, openshift-ansible, and python-rsais now available for Red Hat OpenShift Container Platform 3.11.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Red Hat OpenShift Container Platform 3.11 - noarch
Bugs Fixed
1802381 - CVE-2020-1741 openshift-ansible: cors allowed origin allows changing url protocol
1819663 - CVE-2019-16541 jenkins-jira-plugin: plugin information disclosure
1848507 - CVE-2020-13757 python-rsa: decryption of ciphertext leads to DoS
1857425 - CVE-2020-2220 jenkins: Stored XSS vulnerability in job build time trend
1857427 - CVE-2020-2221 jenkins: Stored XSS vulnerability in upstream cause
1857431 - CVE-2020-2222 jenkins: Stored XSS vulnerability in 'keep forever' badge icons
1857433 - CVE-2020-2223 jenkins: Stored XSS vulnerability in console links
1857436 - CVE-2020-2224 jenkins-2-plugins/matrix-project: Stored XSS vulnerability in single axis builds tooltips
1857439 - CVE-2020-2225 jenkins-2-plugins/matrix-project: Stored XSS vulnerability in multiple axis builds tooltips
1857441 - CVE-2020-2226 jenkins-2-plugins/matrix-auth: Stored XSS vulnerability in Matrix Authorization Strategy Plugin