Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2437 Important: OpenShift Container Platform 4.1 jenkins-2-plugins security update 4 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenShift Container Platform 4.1 jenkins-2-plugins Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-10337 CVE-2019-10328 CVE-2019-10320 Reference: ESB-2019.1980 ESB-2019.1850 Original Bulletin: https://access.redhat.com/errata/RHSA-2019:1636 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.1 jenkins-2-plugins security update Advisory ID: RHSA-2019:1636-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2019:1636 Issue date: 2019-07-03 CVE Names: CVE-2019-10320 CVE-2019-10328 CVE-2019-10337 ===================================================================== 1. Summary: An update for jenkins-2-plugins is now available for Red Hat OpenShift Container Platform 4.1. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 4.1 - noarch 3. Description: This advisory contains the jenkins-2-plugins RPM packages for Red Hat OpenShift Container Platform 4.1.4. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHBA-2019:1635 Security Fix(es): * jenkins-plugin-workflow-remote-loader: Unsafe Script Security whitelist entry in Pipeline Remote Loader Plugin (CVE-2019-10328) * jenkins-credentials-plugin: Certificate file read vulnerability in Credentials Plugin (CVE-2019-10320) * jenkins-plugin-token-macro: XML External Entity processing the ${XML} macro (CVE-2019-10337) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. You may download the oc tool and use it to inspect release image metadata as follows: $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.1.4 The image digest is sha256:a6c177eb007d20bb00bfd8f829e99bd40137167480112bd5ae1c25e40a4a163a All OpenShift Container Platform 4.1 users are advised to upgrade to these updated packages and images. 4. Solution: For OpenShift Container Platform 4.1 see the following documentation, which will be updated shortly for release 4.1.4, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-rel ease-notes.html 5. Bugs fixed (https://bugzilla.redhat.com/): 1714054 - CVE-2019-10320 jenkins-credentials-plugin: Certificate file read vulnerability in Credentials Plugin (SECURITY-1322) 1716794 - CVE-2019-10328 jenkins-plugin-workflow-remote-loader: Unsafe Script Security whitelist entry in Pipeline Remote Loader Plugin (SECURITY-921) 1719782 - CVE-2019-10337 jenkins-plugin-token-macro: XML External Entity processing the ${XML} macro 6. Package List: Red Hat OpenShift Container Platform 4.1: Source: jenkins-2-plugins-4.1.1561471763-1.el7.src.rpm noarch: jenkins-2-plugins-4.1.1561471763-1.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-10320 https://access.redhat.com/security/cve/CVE-2019-10328 https://access.redhat.com/security/cve/CVE-2019-10337 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXRyX1tzjgjWX9erEAQhVZQ//YA3WC7onhGMgHX9S2CeZHZHqZxgchgVK b6ldWeQmmuLkgBYXhB5gGazsLhIswh8gumhIvJRYIo5RSnNsAR0D6suUrcXxC7IA Wz/UL90u0S7tLCDzxbc48DP6ATcBW4FkK9xyxQXA3yufVMMW6W/Gryiyqv/j6nHN kiyX19XlERY/GOjMZ53aKn/ajgXq+0/G7Ys6PUMi+YWUxNKbF7vkjpN8ElHD4YZ2 PEz90683U3Q5H9GwEGuwEoG+i+dH49qtgfKvr1moNm/cHCQIWX5zr+RZc1As+h5H eHpdCkKE838QeW2XUTh9QY/qLp+9UZOKu7FHrMqP/dUj37TWYsppKoW7us1zfFMT EtPzoMa3M/HUYLBEqWMVD0fz9AwCXdksrWU7DoyiGKgE8YuediOOOTN0agGv7rrZ DXxEit75PNrt2tFhl+3kXyVDBfy8seC0RVosETTzq0MH9TQb2RfSg0R6Nf92LSl3 bYKo/H0o3Pg5fXyKQoI6pPDoO6fTHxP/CPv+95jVy/vrpg4CkUfL/2uuhKU6wu/2 OC5FW/1DQD//Xk0rphNDXQkXnL8obuwxAU2J2vZvkBDvJ1oA8cqfsJUayrIGaBeJ C7UENxvbJjbgJSNhT9RxQA6Z5bVzrylVbSgM45KD0g16TdRfYCeGd1eUUtC2io7o UtaoNo9s+ME= =5dC+ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXR1XOWaOgq3Tt24GAQjx1xAAwYnXZynrspNjceG3k4B8I9fN9klWg58O 92l3LA38kw+aShZpMiFAcmGegihL0oUh1cTTfhyfqF0dRoR1w5eJfDOi9QzNTqMg NrJyvpI25aUSYaXRjRyo/qocJx5XYuKnMsl+EJzUcF1pFzteaxU/mAGXvrhSIbF1 iaU6HezrAbh6QaXL0apUCan1KIMLFqM82rtFtDPBy3K4p5gTvVtu3ilsEnBHhFR5 0667yxGqt2F6cSo6WOEmGxJZAjn/X+BjqjuyA1Be8GeFBC0kQZJ3BkTFFMtdvhTE 5adKENE9YPXrJl64D24/lonc1/McJVEZ9HitN0+5Pg+gN9G4oCUDhLH5llYdEB/B HNvZW585e20cDfIruEU4POBT6HVEbk2ELbirCnPziN20IM/VbUCM6J932epoKGWT VmoWnBs1h1nKmdMV0S5iczo2m2I3HStYMhyuCMeIiwMp8IrsbVsRyI+zkIbWAPKf UxUvyznO4CML3bUhyApfYRDlASN9VzXdausIaF8LMWbDjhGZomhwiYklie/NN9ua MZK7Oz80XnsCKNUfcM87KBribquS2qOpzs1y9FdJ0Q1oI+r0XKcjgZDZkUzonGj7 8tUnVBR6Ieoi2tMuEXTFpFUUUV+WzPxQgTmg8US4EFgTOZCzopEhMRGX13zROjlG 1v5ICh2/2kU= =GUp+ -----END PGP SIGNATURE-----