Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2024.0904
jenkins and jenkins-2-plugins security update
13 February 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: jenkins
jenkins-2-plugins
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2023-44487 CVE-2023-40341 CVE-2023-40339
CVE-2023-40338 CVE-2023-40337 CVE-2023-40336
CVE-2023-39325 CVE-2023-37947 CVE-2023-37946
CVE-2023-35116 CVE-2023-25762 CVE-2023-25761
CVE-2023-24422 CVE-2023-2976 CVE-2022-42889
CVE-2022-29599 CVE-2022-25857
Original Bulletin:
https://access.redhat.com/errata/RHSA-2024:0777
Comment: CVSS (Max): 9.8 CVE-2022-42889 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The following are listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog:
CISA KEV CVE(s): CVE-2023-44487
CISA KEV URL: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- --------------------------BEGIN INCLUDED TEXT--------------------
=====================================================================
Red Hat Security Advisory
Synopsis: Important: jenkins and jenkins-2-plugins security
update
Advisory ID: RHSA-2024:0777
Product: OpenShift Developer Tools and Services for OCP 4.14 for RHEL 8
Advisory URL: https://access.redhat.com/errata/RHSA-2024:0777
Issue date: 2024-02-12
CVE Names: CVE-2022-25857 CVE-2022-29599 CVE-2022-42889 CVE-2023-2976
CVE-2023-24422 CVE-2023-25761 CVE-2023-25762 CVE-2023-35116
CVE-2023-37946 CVE-2023-37947 CVE-2023-39325 CVE-2023-40336
CVE-2023-40337 CVE-2023-40338 CVE-2023-40339 CVE-2023-40341
CVE-2023-44487
=====================================================================
1. Summary:
An update for jenkins and jenkins-2-plugins is now available for OpenShift
Developer Tools and Services for OCP 4.14.
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
2. Relevant releases/architectures:
OpenShift Developer Tools and Services for OCP 4.14 for RHEL 8 - noarch
3. Description:
Jenkins is a continuous integration server that monitors executions of repeated
jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* golang: net/http, x/net/http2: rapid stream resets can cause excessive work
(CVE-2023-44487) (CVE-2023-39325)
* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack
(Rapid Reset Attack) (CVE-2023-44487)
* apache-commons-text: variable interpolation RCE (CVE-2022-42889)
* snakeyaml: Denial of Service due to missing nested depth limitation for
collections (CVE-2022-25857)
* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)
* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script
Security Plugin (CVE-2023-24422)
* Jenkins: Session fixation vulnerability in OpenShift Login Plugin
(CVE-2023-37946)
* jenkins-plugins: cloudbees-folder: CSRF vulnerability in Folders Plugin may
approve unsandboxed scripts (CVE-2023-40336)
* guava: insecure temporary directory creation (CVE-2023-2976)
* jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin
(CVE-2023-25761)
* jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline:
Build Step Plugin (CVE-2023-25762)
* jackson-databind: denial of service via cylic dependencies (CVE-2023-35116)
* Jenkins: Open redirect vulnerability in OpenShift Login Plugin
(CVE-2023-37947)
* jenkins-plugins: cloudbees-folder: CSRF vulnerability in Folders Plugin
(CVE-2023-40337)
* jenkins-plugins: cloudbees-folder: Information disclosure in Folders Plugin
(CVE-2023-40338)
* jenkins-plugins: config-file-provider: Improper masking of credentials in
Config File Provider Plugin (CVE-2023-40339)
* jenkins-plugins: blueocean: CSRF vulnerability in Blue Ocean Plugin allows
capturing credentials (CVE-2023-40341)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes described in
this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2126789 - CVE-2022-25857 - snakeyaml: Denial of Service due to missing nested
depth limitation for collections
2066479 - CVE-2022-29599 - maven-shared-utils: Command injection via Commandline
class
2135435 - CVE-2022-42889 - apache-commons-text: variable interpolation RCE
2215229 - CVE-2023-2976 - guava: insecure temporary directory creation
2164278 - CVE-2023-24422 - jenkins-2-plugins/script-security: Sandbox bypass
vulnerability in Script Security Plugin
2170039 - CVE-2023-25761 - jenkins-2-plugins/JUnit: Stored XSS vulnerability in
JUnit Plugin
2170041 - CVE-2023-25762 - jenkins-2-plugins/pipeline-build-step: Stored XSS
vulnerability in Pipeline: Build Step Plugin
2215214 - CVE-2023-35116 - jackson-databind: denial of service via cylic
dependencies
2222709 - CVE-2023-37946 - Jenkins: Session fixation vulnerability in OpenShift
Login Plugin
2222710 - CVE-2023-37947 - Jenkins: Open redirect vulnerability in OpenShift
Login Plugin
2243296 - CVE-2023-39325 - golang: net/http, x/net/http2: rapid stream resets
can cause excessive work (CVE-2023-44487)
2232424 - CVE-2023-40336 - jenkins-plugins: cloudbees-folder: CSRF vulnerability
in Folders Plugin may approve unsandboxed scripts
2232425 - CVE-2023-40337 - jenkins-plugins: cloudbees-folder: CSRF vulnerability
in Folders Plugin
2232426 - CVE-2023-40338 - jenkins-plugins: cloudbees-folder: Information
disclosure in Folders Plugin
2232423 - CVE-2023-40339 - jenkins-plugins: config-file-provider: Improper
masking of credentials in Config File Provider Plugin
2232422 - CVE-2023-40341 - jenkins-plugins: blueocean: CSRF vulnerability in
Blue Ocean Plugin allows capturing credentials
2242803 - CVE-2023-44487 - HTTP/2: Multiple HTTP/2 enabled web servers are
vulnerable to a DDoS attack (Rapid Reset Attack)
6. Package List:
OpenShift Developer Tools and Services for OCP 4.14 for RHEL 8
noarch:
jenkins-2-plugins-0:4.14.1706516441-1.el8.noarch.rpm
jenkins-0:2.426.3.1706516352-3.el8.noarch.rpm
Source:
jenkins-2-plugins-0:4.14.1706516441-1.el8.src.rpm
jenkins-0:2.426.3.1706516352-3.el8.src.rpm
7. References:
https://access.redhat.com/security/cve/CVE-2022-25857
https://access.redhat.com/security/cve/CVE-2022-29599
https://access.redhat.com/security/cve/CVE-2022-42889
https://access.redhat.com/security/cve/CVE-2023-2976
https://access.redhat.com/security/cve/CVE-2023-24422
https://access.redhat.com/security/cve/CVE-2023-25761
https://access.redhat.com/security/cve/CVE-2023-25762
https://access.redhat.com/security/cve/CVE-2023-35116
https://access.redhat.com/security/cve/CVE-2023-37946
https://access.redhat.com/security/cve/CVE-2023-37947
https://access.redhat.com/security/cve/CVE-2023-39325
https://access.redhat.com/security/cve/CVE-2023-40336
https://access.redhat.com/security/cve/CVE-2023-40337
https://access.redhat.com/security/cve/CVE-2023-40338
https://access.redhat.com/security/cve/CVE-2023-40339
https://access.redhat.com/security/cve/CVE-2023-40341
https://access.redhat.com/security/cve/CVE-2023-44487
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZcqxIMkNZI30y1K9AQgPyhAAlUFBJKmi9zGjHXaRB24F84nBTp9oYwcY
u/bW70qcjqlgT5vw5R/vE13eo2IChCVguEEhwzleXPHOt2yNwFh6j0iEc21v3ycK
bibZqZNOkkHqYE5qSWViDkZWIzcjHDSS5XBYJLD40irZK+QMPb43c0Fmzy7vq7sF
lS3hrfqxX84z2Org6R+ajo+5kdYtJUHT5E1KpB426Avs7QyTloOqlNdtNUx7nbqg
CE5Iipfm0oovAVXJ20ZCiYDqY/JhH8+TulmSy2U6CH3l11NWYYWIj+xUeII458pF
QEiHgB2Dc8qxGFVJ+3+kCDKNeIMHcaLYZMm1vjBiRbqyODMX1xFpAubD2hktRa3N
kCIz2MCHzITSVCgto/51AtWyhmXiTdh+aiQBxmDwU+e4clKp4i1WbuOQliuOGYD7
nME42JyEVqatXRCth3kYnUShXX4stA8LtO2xvYFNd5Rd+cj8XeirWCvAdeoiPJAz
bgQcx/Wau77GCVvkDkSJQUWg/PutnOKlVus7yzntSWAh/aCp3e8sdGjQeezRcGIE
tI7uHj6DVJEV38jlmx1Sy2voF7c4ekmAGZOVChCYx3M9v7eLll4lgn1McFO+djfT
Hrh6sxzn9dBaZSmQI0Q7RRqOZlcTWi3o1b1Fy1YBOXcj2HlK5xkK+iR65aDnXYCR
r4S05iASUtY=
=DR23
-----END PGP SIGNATURE-----