ESB-2019.1233 - [Win][UNIX/Linux][RedHat] jenkins-2-plugins: Execute arbitrary code/commands - Existing account 2019-04-11

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.1233
           Important: Red Hat OpenShift Container Platform 3.11
                     jenkins-2-plugins security update
                               11 April 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           jenkins-2-plugins
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-1003034 CVE-2019-1003031 CVE-2019-1003030
                   CVE-2019-1003029 CVE-2019-1003024 CVE-2019-1003005

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2019:0739

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Red Hat. It is recommended that administrators
         running jenkins-2-plugins check for an updated version of the 
         software for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Container Platform 3.11 jenkins-2-plugins security update
Advisory ID:       RHSA-2019:0739-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:0739
Issue date:        2019-04-10
CVE Names:         CVE-2019-1003005 CVE-2019-1003024 CVE-2019-1003029 
                   CVE-2019-1003030 CVE-2019-1003031 CVE-2019-1003034 
=====================================================================

1. Summary:

An update for jenkins-2-plugins is now available for Red Hat OpenShift
Container Platform 3.11.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 3.11 - noarch

3. Description:

Jenkins is a continuous integration server that monitors executions of
repeated jobs, such as building a software project or jobs run by cron.

Security fix(es):

* jenkins-plugin-script-security: Sandbox bypass in script security plug-in
(CVE-2019-1003005)
* jenkins-plugin-script-security: Sandbox bypass in script security plug-in
(CVE-2019-1003024)
* jenkins-plugin-script-security: Sandbox bypass in script security plug-in
(CVE-2019-1003029)
* jenkins-plugin-workflow-cps: Sandbox bypass in pipeline: Groovy plug-in
(CVE-2019-1003030)
* jenkins-matrix-project-plugin: Sandbox bypass in matrix project plug-in
(CVE-2019-1003031)
* jenkins-job-dsl-plugin: Script security sandbox bypass in job DSL plug-in
(CVE-2019-1003034)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

See the following documentation, which will be updated shortly for release
3.11.98, for important instructions on how to upgrade your cluster and
fully
apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r
elease_notes.html

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258.

5. Bugs fixed (https://bugzilla.redhat.com/):

1670283 - CVE-2019-1003005 jenkins-plugin-script-security: Sandbox Bypass in Script Security Plugin (SECURITY-1292)
1684556 - CVE-2019-1003024 jenkins-plugin-script-security: Sandbox Bypass in Script Security Plugin (SECURITY-1320)
1689873 - CVE-2019-1003029 jenkins-plugin-script-security: sandbox bypass in script security plugin
1689886 - CVE-2019-1003031 jenkins-matrix-project-plugin: sandbox bypass in matrix project plugin
1690663 - CVE-2019-1003034 jenkins-job-dsl-plugin: Script security sandbox bypass in Job DSL Plugin (SECURITY-1342)
1690665 - CVE-2019-1003030 jenkins-plugin-workflow-cps: Sandbox bypass in Pipeline: Groovy Plugin (SECURITY-1336(2))

6. Package List:

Red Hat OpenShift Container Platform 3.11:

Source:
jenkins-2-plugins-3.11.1552336312-1.el7.src.rpm

noarch:
jenkins-2-plugins-3.11.1552336312-1.el7.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-1003005
https://access.redhat.com/security/cve/CVE-2019-1003024
https://access.redhat.com/security/cve/CVE-2019-1003029
https://access.redhat.com/security/cve/CVE-2019-1003030
https://access.redhat.com/security/cve/CVE-2019-1003031
https://access.redhat.com/security/cve/CVE-2019-1003034
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXK43XNzjgjWX9erEAQiMbA/7BDEZdpLh2sy8D8cGdil8P6jvJWJ6MVYl
iKgkTqguug2Ow8sY7PK1SN+994/1/FbiKgBCg78oeKlK/JmyEnmYO2MQobHnkXSr
uuHsnspcmKBI99p2GoYbzMGktqxZyK32oeFntUzWLYzHSwDm2fb22YtI/FVmjGhi
inPu4MjneB/7KmDyuiWyUALSMgw/WTQX/pYbESeNxA3OlTSr8MZa3fRf/IRmG1vu
wO3f8/WtuKqTn9ZeDJbSDJCUqO27wQj+MQzM/zxTh4PWgbH26L4UJNTpmBM/2lAe
Wwywu/g+WCxI8dvRjflJYRXnphp3pfp6NipCTeJj3ngBjuO1LxEYJMzslarT9c88
Yrl95UsNe/Abw+s8hREixBzeCLOd/xbYANEoVWe3U1pe9sCCzMAwTX7N6v/HfeGD
eRhSOPALM43aDV/DdzmLST+hVH3AdMw6QuyBO3IYD5kUkyrbODoWCajaspsWE+7F
5Y3NusxiRoZj605S1YQriMnRT8zbw17M/EicCOKw8B+novZKFrDIudzrNHNlmVBE
307u0VHp5xlTnaEU7GqFTnjafrv49B/rDU1Z4CQZ5dqDlGS6Qk751hoi8DzM1tfo
hOkCsS672unisgJ2CLgAcT56cjZpOI2wv6i0KGKFz6ZFCPaee/VvugvmQsk4snua
IlNKDq9oACc=
=LX9S
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXK6XHWaOgq3Tt24GAQhZfRAAtPzyowRi1hxkRNBrnbMDZAI8pQ0Qj/Ws
npegjwG4ldTsaJBXVNqkcJ1UPb67XLbNrDhVONlauZ0lph6n3GIlImLMjNIkqueG
4CmDNuMv4mKMqxaISZWYRaqEL1V7htZb99qlV7N1tXi7sk80BCy7sn2J9XiGqy+D
d52HluaqbrlJd2bnb3Kq2ogSKIoPwFPqNTHKxt8/ijGRvRl0VQRDAU6JdVEwS3q5
oGWPtFgvxiyKlK45iuegVkb5joVYBL5eJXvZFRF+6Y1FijsGaV5VGtGvBHeob4v7
IXwxxfXwaGxbirRKztHlJIaNLjElY3b+L9Bwe2Gz/zgAfRGG6pv3hOu2Rpk2K0JL
E2bVu/Z+0BxOckTdWtc1RqPX4ZtOH3+PHS1DgnkEq4JhrsgJwY3f2bfl7TGmVlmQ
plvd+QJSh3hENbSypZhxiIqf3Y9PfBk7mw+qPMEeO1rtEW1S90ZXs0vFo8W4CyYu
3vqAACOiFHm5cLybwL4soFCrcMSLbjY6o+e8CuhtbzublYKlm771M7HUZagTsx7G
1ojPjXcJSk0nfYqqG7TujYs4zLJwpNh6zd3/CltD/iR+wNE5TuADUR2kX7PJfscH
EHTP9pnKlTgnuXzylrzrwkEYSrLws11hKCELYgxOkHprkMDMs7lxQDLH9gRWOXRa
NDG/+9oUgQk=
=jYVO
-----END PGP SIGNATURE-----

« Back to bulletins