Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2024.0904 jenkins and jenkins-2-plugins security update 13 February 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: jenkins jenkins-2-plugins Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2023-44487 CVE-2023-40341 CVE-2023-40339 CVE-2023-40338 CVE-2023-40337 CVE-2023-40336 CVE-2023-39325 CVE-2023-37947 CVE-2023-37946 CVE-2023-35116 CVE-2023-25762 CVE-2023-25761 CVE-2023-24422 CVE-2023-2976 CVE-2022-42889 CVE-2022-29599 CVE-2022-25857 Original Bulletin: https://access.redhat.com/errata/RHSA-2024:0777 Comment: CVSS (Max): 9.8 CVE-2022-42889 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H The following are listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog: CISA KEV CVE(s): CVE-2023-44487 CISA KEV URL: https://www.cisa.gov/known-exploited-vulnerabilities-catalog - --------------------------BEGIN INCLUDED TEXT-------------------- ===================================================================== Red Hat Security Advisory Synopsis: Important: jenkins and jenkins-2-plugins security update Advisory ID: RHSA-2024:0777 Product: OpenShift Developer Tools and Services for OCP 4.14 for RHEL 8 Advisory URL: https://access.redhat.com/errata/RHSA-2024:0777 Issue date: 2024-02-12 CVE Names: CVE-2022-25857 CVE-2022-29599 CVE-2022-42889 CVE-2023-2976 CVE-2023-24422 CVE-2023-25761 CVE-2023-25762 CVE-2023-35116 CVE-2023-37946 CVE-2023-37947 CVE-2023-39325 CVE-2023-40336 CVE-2023-40337 CVE-2023-40338 CVE-2023-40339 CVE-2023-40341 CVE-2023-44487 ===================================================================== 1. Summary: An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.14. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: OpenShift Developer Tools and Services for OCP 4.14 for RHEL 8 - noarch 3. Description: Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Security Fix(es): * golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325) * HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487) * apache-commons-text: variable interpolation RCE (CVE-2022-42889) * snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857) * maven-shared-utils: Command injection via Commandline class (CVE-2022-29599) * jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422) * Jenkins: Session fixation vulnerability in OpenShift Login Plugin (CVE-2023-37946) * jenkins-plugins: cloudbees-folder: CSRF vulnerability in Folders Plugin may approve unsandboxed scripts (CVE-2023-40336) * guava: insecure temporary directory creation (CVE-2023-2976) * jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761) * jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762) * jackson-databind: denial of service via cylic dependencies (CVE-2023-35116) * Jenkins: Open redirect vulnerability in OpenShift Login Plugin (CVE-2023-37947) * jenkins-plugins: cloudbees-folder: CSRF vulnerability in Folders Plugin (CVE-2023-40337) * jenkins-plugins: cloudbees-folder: Information disclosure in Folders Plugin (CVE-2023-40338) * jenkins-plugins: config-file-provider: Improper masking of credentials in Config File Provider Plugin (CVE-2023-40339) * jenkins-plugins: blueocean: CSRF vulnerability in Blue Ocean Plugin allows capturing credentials (CVE-2023-40341) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2126789 - CVE-2022-25857 - snakeyaml: Denial of Service due to missing nested depth limitation for collections 2066479 - CVE-2022-29599 - maven-shared-utils: Command injection via Commandline class 2135435 - CVE-2022-42889 - apache-commons-text: variable interpolation RCE 2215229 - CVE-2023-2976 - guava: insecure temporary directory creation 2164278 - CVE-2023-24422 - jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin 2170039 - CVE-2023-25761 - jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin 2170041 - CVE-2023-25762 - jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin 2215214 - CVE-2023-35116 - jackson-databind: denial of service via cylic dependencies 2222709 - CVE-2023-37946 - Jenkins: Session fixation vulnerability in OpenShift Login Plugin 2222710 - CVE-2023-37947 - Jenkins: Open redirect vulnerability in OpenShift Login Plugin 2243296 - CVE-2023-39325 - golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) 2232424 - CVE-2023-40336 - jenkins-plugins: cloudbees-folder: CSRF vulnerability in Folders Plugin may approve unsandboxed scripts 2232425 - CVE-2023-40337 - jenkins-plugins: cloudbees-folder: CSRF vulnerability in Folders Plugin 2232426 - CVE-2023-40338 - jenkins-plugins: cloudbees-folder: Information disclosure in Folders Plugin 2232423 - CVE-2023-40339 - jenkins-plugins: config-file-provider: Improper masking of credentials in Config File Provider Plugin 2232422 - CVE-2023-40341 - jenkins-plugins: blueocean: CSRF vulnerability in Blue Ocean Plugin allows capturing credentials 2242803 - CVE-2023-44487 - HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) 6. Package List: OpenShift Developer Tools and Services for OCP 4.14 for RHEL 8 noarch: jenkins-2-plugins-0:4.14.1706516441-1.el8.noarch.rpm jenkins-0:2.426.3.1706516352-3.el8.noarch.rpm Source: jenkins-2-plugins-0:4.14.1706516441-1.el8.src.rpm jenkins-0:2.426.3.1706516352-3.el8.src.rpm 7. References: https://access.redhat.com/security/cve/CVE-2022-25857 https://access.redhat.com/security/cve/CVE-2022-29599 https://access.redhat.com/security/cve/CVE-2022-42889 https://access.redhat.com/security/cve/CVE-2023-2976 https://access.redhat.com/security/cve/CVE-2023-24422 https://access.redhat.com/security/cve/CVE-2023-25761 https://access.redhat.com/security/cve/CVE-2023-25762 https://access.redhat.com/security/cve/CVE-2023-35116 https://access.redhat.com/security/cve/CVE-2023-37946 https://access.redhat.com/security/cve/CVE-2023-37947 https://access.redhat.com/security/cve/CVE-2023-39325 https://access.redhat.com/security/cve/CVE-2023-40336 https://access.redhat.com/security/cve/CVE-2023-40337 https://access.redhat.com/security/cve/CVE-2023-40338 https://access.redhat.com/security/cve/CVE-2023-40339 https://access.redhat.com/security/cve/CVE-2023-40341 https://access.redhat.com/security/cve/CVE-2023-44487 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/vulnerabilities/RHSB-2023-003 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZcqxIMkNZI30y1K9AQgPyhAAlUFBJKmi9zGjHXaRB24F84nBTp9oYwcY u/bW70qcjqlgT5vw5R/vE13eo2IChCVguEEhwzleXPHOt2yNwFh6j0iEc21v3ycK bibZqZNOkkHqYE5qSWViDkZWIzcjHDSS5XBYJLD40irZK+QMPb43c0Fmzy7vq7sF lS3hrfqxX84z2Org6R+ajo+5kdYtJUHT5E1KpB426Avs7QyTloOqlNdtNUx7nbqg CE5Iipfm0oovAVXJ20ZCiYDqY/JhH8+TulmSy2U6CH3l11NWYYWIj+xUeII458pF QEiHgB2Dc8qxGFVJ+3+kCDKNeIMHcaLYZMm1vjBiRbqyODMX1xFpAubD2hktRa3N kCIz2MCHzITSVCgto/51AtWyhmXiTdh+aiQBxmDwU+e4clKp4i1WbuOQliuOGYD7 nME42JyEVqatXRCth3kYnUShXX4stA8LtO2xvYFNd5Rd+cj8XeirWCvAdeoiPJAz bgQcx/Wau77GCVvkDkSJQUWg/PutnOKlVus7yzntSWAh/aCp3e8sdGjQeezRcGIE tI7uHj6DVJEV38jlmx1Sy2voF7c4ekmAGZOVChCYx3M9v7eLll4lgn1McFO+djfT Hrh6sxzn9dBaZSmQI0Q7RRqOZlcTWi3o1b1Fy1YBOXcj2HlK5xkK+iR65aDnXYCR r4S05iASUtY= =DR23 -----END PGP SIGNATURE-----