Alerts This Week
Warning Icon 1 916
Alerts This Week
Warning Icon 1 916

RedHat: RHSA-2023-1064-01 Critical: OpenShift Jenkins Flaws

red hat
Calendar Grey March 6, 2023
Dist Redhat Esm H88
Significant OpenShift Developer Tools Upgrade Released; Key security enhancements for Jenkins are part of this update.
An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12

Solution

For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:

https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/jenkins/important-changes-to-openshift-jenkins-images

Summary

Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43401)
* jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin (CVE-2022-43402)
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43403)
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43404)
* jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin (CVE-2022-43405)
* jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)
* Pipeline Shared Groovy Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin (CVE-2022-29047)
* jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin (CVE-2022-43407)
* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin (CVE-2022-43408)
* jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin (CVE-2022-43409)
* jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin (CVE-2022-43410)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Topics%20covered

Topics Covered

security advisory critical security fix redhat sandbox jenkins openshift

References

https://access.redhat.com/security/cve/CVE-2022-29047 https://access.redhat.com/security/cve/CVE-2022-30952 https://access.redhat.com/security/cve/CVE-2022-42003 https://access.redhat.com/security/cve/CVE-2022-42004 https://access.redhat.com/security/cve/CVE-2022-43401 https://access.redhat.com/security/cve/CVE-2022-43402 https://access.redhat.com/security/cve/CVE-2022-43403 https://access.redhat.com/security/cve/CVE-2022-43404 https://access.redhat.com/security/cve/CVE-2022-43405 https://access.redhat.com/security/cve/CVE-2022-43406 https://access.redhat.com/security/cve/CVE-2022-43407 https://access.redhat.com/security/cve/CVE-2022-43408 https://access.redhat.com/security/cve/CVE-2022-43409 https://access.redhat.com/security/cve/CVE-2022-43410 https://access.redhat.com/security/cve/CVE-2022-45047 https://access.redhat.com/security/updates/classification#critical

Package List

OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8:
Source: jenkins-2-plugins-4.12.1675702407-1.el8.src.rpm jenkins-2.361.4.1675702346-3.el8.src.rpm
noarch: jenkins-2-plugins-4.12.1675702407-1.el8.noarch.rpm jenkins-2.361.4.1675702346-3.el8.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key


Severity
critical
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2023:1064-01
Product: OpenShift Developer Tools and Services
Advisory URL: https://access.redhat.com/errata/RHSA-2023:1064
Issue date: 2023-03-06

Topic

An update for Jenkins and Jenkins-2-plugins is now available for OpenShiftDeveloper Tools and Services for OCP 4.12.Red Hat Product Security has rated this update as having a security impactof Critical. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory critical security fix redhat sandbox jenkins openshift

Relevant Releases Architectures

OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8 - noarch

Bugs Fixed

2074855 - CVE-2022-29047 Pipeline Shared Groovy Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin

2119645 - CVE-2022-30952 Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin

2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS

2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays

2136369 - CVE-2022-43410 jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin

2136370 - CVE-2022-43406 jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin

2136374 - CVE-2022-43405 jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin

2136379 - CVE-2022-43402 jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin

2136381 - CVE-2022-43401 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin

2136382 - CVE-2022-43403 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin

2136383 - CVE-2022-43404 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here