-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: jenkins and jenkins-2-plugins security update
Advisory ID:       RHSA-2023:3663-01
Product:           OpenShift Developer Tools and Services
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3663
Issue date:        2023-06-19
CVE Names:         CVE-2022-2048 CVE-2022-22976 CVE-2022-40149 
                   CVE-2022-40150 CVE-2022-41966 CVE-2022-42003 
                   CVE-2022-42004 CVE-2023-1370 CVE-2023-1436 
                   CVE-2023-20860 CVE-2023-26464 CVE-2023-27898 
                   CVE-2023-27899 CVE-2023-27903 CVE-2023-27904 
                   CVE-2023-32977 CVE-2023-32981 
====================================================================
1. Summary:

An update for jenkins and jenkins-2-plugins is now available for OpenShift
Developer Tools and Services for OCP 4.11.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8 - noarch

3. Description:

Jenkins is a continuous integration server that monitors executions of
repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

* xstream: Denial of Service by injecting recursive collections or maps
based on element's hash values raising a stack overflow (CVE-2022-41966)

* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart
(Resource Exhaustion) (CVE-2023-1370)

* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
(CVE-2023-20860)

* log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging
(CVE-2023-26464)

* Jenkins: XSS vulnerability in plugin manager (CVE-2023-27898)

* Jenkins: Temporary plugin file created with insecure permissions
(CVE-2023-27899)

* jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job
Plugin (CVE-2023-32977)

* http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)

* springframework: BCrypt skips salt rounds for work factor of 31
(CVE-2022-22976)

* jettison: parser crash by stackoverflow (CVE-2022-40149)

* jackson-databind: deep wrapper array nesting wrt
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)

* jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write
vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981)

* jettison: memory exhaustion via user-supplied XML or JSON data
(CVE-2022-40150)

* Jenkins: Temporary file parameter created with insecure permissions
(CVE-2023-27903)

* Jenkins: Information disclosure through error stack traces related to
agents (CVE-2023-27904)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2087214 - CVE-2022-22976 springframework: BCrypt skips salt rounds for work factor of 31
2116952 - CVE-2022-2048 http2-server: Invalid HTTP/2 requests cause DoS
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays
2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data
2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow
2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow
2177626 - CVE-2023-27899 Jenkins: Temporary plugin file created with insecure permissions
2177629 - CVE-2023-27898 Jenkins: XSS vulnerability in plugin manager
2177632 - CVE-2023-27903 Jenkins: Temporary file parameter created with insecure permissions
2177634 - CVE-2023-27904 Jenkins: Information disclosure through error stack traces related to agents
2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray
2182864 - CVE-2023-26464 log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging
2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)
2207830 - CVE-2023-32977 jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin
2207835 - CVE-2023-32981 jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin

6. Package List:

OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8:

Source:
jenkins-2-plugins-4.11.1686831822-1.el8.src.rpm
jenkins-2.401.1.1686831596-3.el8.src.rpm

noarch:
jenkins-2-plugins-4.11.1686831822-1.el8.noarch.rpm
jenkins-2.401.1.1686831596-3.el8.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2048
https://access.redhat.com/security/cve/CVE-2022-22976
https://access.redhat.com/security/cve/CVE-2022-40149
https://access.redhat.com/security/cve/CVE-2022-40150
https://access.redhat.com/security/cve/CVE-2022-41966
https://access.redhat.com/security/cve/CVE-2022-42003
https://access.redhat.com/security/cve/CVE-2022-42004
https://access.redhat.com/security/cve/CVE-2023-1370
https://access.redhat.com/security/cve/CVE-2023-1436
https://access.redhat.com/security/cve/CVE-2023-20860
https://access.redhat.com/security/cve/CVE-2023-26464
https://access.redhat.com/security/cve/CVE-2023-27898
https://access.redhat.com/security/cve/CVE-2023-27899
https://access.redhat.com/security/cve/CVE-2023-27903
https://access.redhat.com/security/cve/CVE-2023-27904
https://access.redhat.com/security/cve/CVE-2023-32977
https://access.redhat.com/security/cve/CVE-2023-32981
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZJBOjdzjgjWX9erEAQiIaxAAqRYmp33KBW/CzJxQJPBVI+FFOVBPJw4N
FtPLHkS8dOc1jn8G9iFNB65yJIRNR22P7pMgAeLTxQdKfSRcqXATnRb9KeGyS9rc
zywKYyEgnijy6vw/0fU1xFl6nWxvmQILZbE74ifH0viiyjRRHsNmtNt4Qxad3FGI
UFrmJ56s4YozyfbWtuZmbgtAeQ7BvuofSLaDPUDAcycsVdZ09QOlZjjRF1P06b+S
Qd4pivaACd1ofI6lmLXsF2cU+iSbOs8N9NyVEBgh/K7BdevBvcpivvb6E24GuNu8
2YvG+cY5fdv3Z+LIrr3OSepH9PIRcJqKFmMCBPxHQ0K74dv3Vu1xzNyLf+dfy7xZ
qerl648jXX2OQ6uOb4nYCG+F9OL0VKIVLluNQE9nPtkTe1S/HNAjMIwl15jl/td0
fhjQrDCs6xRV4/tu+UvwC6cbyoEJES0WAsveF0vwKTN3+4Bq+DpPv29zbRwv+rXY
MlVqM4LsNwK0u9DiuoAPr5/l8irCwD9ekGyaoSyclOLYfhixXc2A0sowRxA6adPt
IyBKKn4R6k/Rsm10KyRn6zSSwFjnFemgf30yLpnq2kffjHcZfakpeTbgS5VkRIdG
SNA+ZZAYQXfK41I9kVQj82cxBEeeomdTvSYo7+IErUcEAATL+CJZO7RyF8rLJe8z
9EuOj2l9FI4=nbrJ
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-3663:01 Important: jenkins and jenkins-2-plugins security

An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.11

Summary

Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging (CVE-2023-26464)
* Jenkins: XSS vulnerability in plugin manager (CVE-2023-27898)
* Jenkins: Temporary plugin file created with insecure permissions (CVE-2023-27899)
* jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)
* http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)
* springframework: BCrypt skips salt rounds for work factor of 31 (CVE-2022-22976)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
* jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)
* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2022-2048 https://access.redhat.com/security/cve/CVE-2022-22976 https://access.redhat.com/security/cve/CVE-2022-40149 https://access.redhat.com/security/cve/CVE-2022-40150 https://access.redhat.com/security/cve/CVE-2022-41966 https://access.redhat.com/security/cve/CVE-2022-42003 https://access.redhat.com/security/cve/CVE-2022-42004 https://access.redhat.com/security/cve/CVE-2023-1370 https://access.redhat.com/security/cve/CVE-2023-1436 https://access.redhat.com/security/cve/CVE-2023-20860 https://access.redhat.com/security/cve/CVE-2023-26464 https://access.redhat.com/security/cve/CVE-2023-27898 https://access.redhat.com/security/cve/CVE-2023-27899 https://access.redhat.com/security/cve/CVE-2023-27903 https://access.redhat.com/security/cve/CVE-2023-27904 https://access.redhat.com/security/cve/CVE-2023-32977 https://access.redhat.com/security/cve/CVE-2023-32981 https://access.redhat.com/security/updates/classification/#important

Package List

OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8:
Source: jenkins-2-plugins-4.11.1686831822-1.el8.src.rpm jenkins-2.401.1.1686831596-3.el8.src.rpm
noarch: jenkins-2-plugins-4.11.1686831822-1.el8.noarch.rpm jenkins-2.401.1.1686831596-3.el8.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2023:3663-01
Product: OpenShift Developer Tools and Services
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3663
Issued Date: : 2023-06-19
CVE Names: CVE-2022-2048 CVE-2022-22976 CVE-2022-40149 CVE-2022-40150 CVE-2022-41966 CVE-2022-42003 CVE-2022-42004 CVE-2023-1370 CVE-2023-1436 CVE-2023-20860 CVE-2023-26464 CVE-2023-27898 CVE-2023-27899 CVE-2023-27903 CVE-2023-27904 CVE-2023-32977 CVE-2023-32981

Topic

An update for jenkins and jenkins-2-plugins is now available for OpenShiftDeveloper Tools and Services for OCP 4.11.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8 - noarch


Bugs Fixed

2087214 - CVE-2022-22976 springframework: BCrypt skips salt rounds for work factor of 31

2116952 - CVE-2022-2048 http2-server: Invalid HTTP/2 requests cause DoS

2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS

2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays

2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data

2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow

2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow

2177626 - CVE-2023-27899 Jenkins: Temporary plugin file created with insecure permissions

2177629 - CVE-2023-27898 Jenkins: XSS vulnerability in plugin manager

2177632 - CVE-2023-27903 Jenkins: Temporary file parameter created with insecure permissions

2177634 - CVE-2023-27904 Jenkins: Information disclosure through error stack traces related to agents

2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern

2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray

2182864 - CVE-2023-26464 log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging

2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)

2207830 - CVE-2023-32977 jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin

2207835 - CVE-2023-32981 jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin


Related News

11.Locks IsometricPattern Esm H320
2 - 3 min read
The Kinsing hacker group, or H2Miner, has been orchestrating illicit cryptocurrency mining campaigns since 2019 and poses a persistent security
32.Lock Code Circular Esm H320
2 - 3 min read
The Kimsuky APT group, reportedly linked to North Korea's Reconnaissance General Bureau (RGB), has been identified deploying a Linux version of its
4.Lock AbstractDigital Esm H320
2 - 3 min read
Recent research sheds light on the security vulnerabilities prevalent in Linux vendor kernels due to flawed engineering processes that backport
28.Lock Globe Esm H320
2 - 3 min read
The intersection of Linux and quantum computing has become increasingly apparent, emphasizing the importance of Linux-based operating systems in
6.EmailConnection Touch Esm H320
2 - 3 min read
Recent security updates for Ubuntu and Debian have been released to address vulnerabilities in Thunderbird, the popular open-source mail and
30.Lock Globe Motherboard Esm H320
1 - 2 min read
As cybersecurity practitioners, we are no strangers to the constant threat of malicious actors and the importance of remaining vigilant to protect
22.Lock ScreenEffect Esm H320
1 - 2 min read
EndeavorOS Gemini is a captivating and charming desktop operating system based on Arch Linux. The new release includes a kernel upgrade, 3D graphics
25.@Sign Hook Keyboard Esm H320
1 min read
Cyber risk is increasing for individuals and organizations, making flexible and robust solutions for identifying spam and malware increasingly

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved