Operating System:

[RedHat]

Published:

27 August 2020

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2020.2943 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2943
             OpenShift Container Platform 3.11 security update
                              27 August 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           OpenShift Container Platform 3.11
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Cross-site Scripting     -- Existing Account      
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-13757 CVE-2020-2226 CVE-2020-2225
                   CVE-2020-2224 CVE-2020-2223 CVE-2020-2222
                   CVE-2020-2221 CVE-2020-2220 CVE-2020-1741
                   CVE-2019-16541  

Reference:         ESB-2020.2897
                   ESB-2020.2850
                   ESB-2020.2435
                   ESB-2019.4420

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:3541

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 3.11 security update
Advisory ID:       RHSA-2020:3541-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:3541
Issue date:        2020-08-26
CVE Names:         CVE-2019-16541 CVE-2020-1741 CVE-2020-2220 
                   CVE-2020-2221 CVE-2020-2222 CVE-2020-2223 
                   CVE-2020-2224 CVE-2020-2225 CVE-2020-2226 
                   CVE-2020-13757 
=====================================================================

1. Summary:

An update for jenkins, jenkins-2-plugins, openshift-ansible, and python-rsa
is now available for Red Hat OpenShift Container Platform 3.11.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 3.11 - noarch

3. Description:

Jenkins is a continuous integration server that monitors executions of
repeated jobs, such as building a software project or jobs run by cron. The
Matrix Project is a module which handles creating Jenkins
multi-configuration projects (matrix projects). Matrix Authorization allows
configuring the lowest level permissions, such as starting new builds,
configuring items, or deleting them, individually.

Python-RSA is a RSA implementation in Python. It can be used as a Python
library as well as the commandline utility.

Ansible is a SSH-based configuration management, deployment, and task
execution system. The openshift-ansible packages contain Ansible code and
playbooks for installing and upgrading OpenShift Container Platform 3.

Security Fix(es):

* jenkins: Stored XSS vulnerability in job build time trend (CVE-2020-2220)

* jenkins: Stored XSS vulnerability in upstream cause (CVE-2020-2221)

* jenkins: Stored XSS vulnerability in 'keep forever' badge icons
(CVE-2020-2222)

* jenkins: Stored XSS vulnerability in console links (CVE-2020-2223)

* jenkins-2-plugins/matrix-project: Stored XSS vulnerability in single axis
builds tooltips (CVE-2020-2224)

* jenkins-2-plugins/matrix-project: Stored XSS vulnerability in multiple
axis builds tooltips (CVE-2020-2225)

* jenkins-2-plugins/matrix-auth: Stored XSS vulnerability in Matrix
Authorization Strategy Plugin (CVE-2020-2226)

* jenkins-jira-plugin: plugin information disclosure (CVE-2019-16541)

* python-rsa: decryption of ciphertext leads to DoS (CVE-2020-13757)

* openshift-ansible: cors allowed origin allows changing url protocol
(CVE-2020-1741)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

See the following documentation, which will be updated shortly for release
3.11.272, for important instructions on how to upgrade your cluster and
fully
apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r
elease_notes.html

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258.

5. Bugs fixed (https://bugzilla.redhat.com/):

1802381 - CVE-2020-1741 openshift-ansible: cors allowed origin allows changing url protocol
1819663 - CVE-2019-16541 jenkins-jira-plugin: plugin information disclosure
1848507 - CVE-2020-13757 python-rsa: decryption of ciphertext leads to DoS
1857425 - CVE-2020-2220 jenkins: Stored XSS vulnerability in job build time trend
1857427 - CVE-2020-2221 jenkins: Stored XSS vulnerability in upstream cause
1857431 - CVE-2020-2222 jenkins: Stored XSS vulnerability in 'keep forever' badge icons
1857433 - CVE-2020-2223 jenkins: Stored XSS vulnerability in console links
1857436 - CVE-2020-2224 jenkins-2-plugins/matrix-project: Stored XSS vulnerability in single axis builds tooltips
1857439 - CVE-2020-2225 jenkins-2-plugins/matrix-project: Stored XSS vulnerability in multiple axis builds tooltips
1857441 - CVE-2020-2226 jenkins-2-plugins/matrix-auth: Stored XSS vulnerability in Matrix Authorization Strategy Plugin

6. Package List:

Red Hat OpenShift Container Platform 3.11:

Source:
jenkins-2-plugins-3.11.1597310986-1.el7.src.rpm
jenkins-2.235.2.1597220898-1.el7.src.rpm
openshift-ansible-3.11.272-1.git.0.79ab6e9.el7.src.rpm
python-rsa-4.5-2.el7.src.rpm

noarch:
jenkins-2-plugins-3.11.1597310986-1.el7.noarch.rpm
jenkins-2.235.2.1597220898-1.el7.noarch.rpm
openshift-ansible-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm
openshift-ansible-docs-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm
openshift-ansible-playbooks-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm
openshift-ansible-roles-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm
openshift-ansible-test-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm
python2-rsa-4.5-2.el7.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-16541
https://access.redhat.com/security/cve/CVE-2020-1741
https://access.redhat.com/security/cve/CVE-2020-2220
https://access.redhat.com/security/cve/CVE-2020-2221
https://access.redhat.com/security/cve/CVE-2020-2222
https://access.redhat.com/security/cve/CVE-2020-2223
https://access.redhat.com/security/cve/CVE-2020-2224
https://access.redhat.com/security/cve/CVE-2020-2225
https://access.redhat.com/security/cve/CVE-2020-2226
https://access.redhat.com/security/cve/CVE-2020-13757
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX0bmstzjgjWX9erEAQjTQQ//ZxCg3gPCNpNyo3vMDigEgUfso8aPVhAE
L/OUqtBiaQYK495J9jwl6ZOtvKIBpzrd12emypAO30LYLbEm3znMqwosPxq7bGfi
p8tHJ+KIpKmMLyK5bOWJh9wMJvRYPzuOU/5gFoP0H7NIUw6Z5J/G51g+dnXS1JXi
6/Bs9Ys7v6yrPmI2WBEfKRAsLzpUWJxC8Zi4hkBhVdpjCHNwUM543TAO5mdCrY06
ty1l+rGHEEpFvWCA6+cxs98Gww8ClYilBORmTWaVJa027HUIggg6WInRkKzipqVw
FBUmMaHBU88PlJS9esyzaZaeWf29x6Rn5JU6dUx6O9HQ8CuzljybAV2Om/zmZbQ1
K0c6R6AtuIblf2FFOlXlOSBTJOjBn8Uml1kMcsQtBYhUT1ofsNHTPAPM0ds1XMTN
fRBmI5792zLIdYuQh1tC2Gn4xlteplGZ6mb2yASVvXjrlMD4phOwzrzvVguNgb7I
zxfa6eyC8/FEg+3EdstIAnA9TsX8YHhE6vlzp+m0h68ESV53viTFwG/iCbvCqGaz
8TTfsOSgXLDZAsZkjBOLINqLuDslyP3c8tE8g7QarMBKSNDNGRR/PQYPh7PZ1JKi
srdu9BtBBeJwhscxXkqrpwTonvF6IQTgwAsyxW3vItdwmy3Wlewg9aKw2JYkoI0o
ZcXmkKaTv2M=
=Uu+D
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX0c+AeNLKJtyKPYoAQiI2A//QK6RRRZV3eQgdR0lX87SRGjyzRu4z8hN
lNqZgBKG3C5jWzdxtwxVSK6lQQTVIZdmk+saLADLc6f46qgM/RBfmYh0th5hG4JP
l9Qjg2jHUeuMT+Lq5U67oQ6HAfON0L8mqXxhos5i5w02rOFvuHmMartRbdmusQnN
BHdbuv4qMLW8I9mcba+z0fL9Q3FzxCQvi7N2z3LDhJ4CN5d7c+f1JtAOhv31wqjr
6jWjVfMuRa5gfPCzsKO9pZ8KN2R7dxDSExIlijOTjFtYLlsSpmhOoqVL6GQIIs3b
OF3eMFNXF6m08G0WULOlfC/HGYFCDjTSiTbVmt0qgP0EwP/DM4+fjF9XvOy4DLlS
7OvToTv5G0NP22u3yvzMSaajweTudbXz/GRCvs9oyNrwXPbMFQNsLMcoo4mw5ARs
mRgsdOKUgLrqF4WaGbB/dlAWAHHh0OxK55O83YGHI5CHHxwm1vardOytBBLCM+uA
LWizG6AcoSYwYbKzKitq2jmchFgnqnezZOdzzgfG+MBfv+pgZ92FQo2IDNBOJo6F
7XR4urj07A4JFFEkim8o8YOukzOF2OA0a2h0qK5WMbv878WIaP18oeoPwml5odzZ
AQ5octiSIQwnZZNYaXAC1i9wyU/4BQkp7IQwoMgWtacHoxpkz6A+QNSTnlE2kDnV
o+LqYx61oq0=
=RNeb
-----END PGP SIGNATURE-----