-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2024.0903
               Jenkins and Jenkins-2-plugins security update
                             13 February 2024

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Jenkins
                   Jenkins-2-plugins
Publisher:         Red Hat
Operating System:  Red Hat
Resolution:        Patch/Upgrade
CVE Names:         CVE-2024-23898 CVE-2024-23897 CVE-2023-40341
                   CVE-2023-40339 CVE-2023-40338 CVE-2023-40337
                   CVE-2023-40167 CVE-2023-37947 CVE-2023-27904
                   CVE-2023-27903 CVE-2023-26049 CVE-2023-26048
                   CVE-2023-25762 CVE-2023-25761 CVE-2023-24422
                   CVE-2023-20862 CVE-2023-20861 CVE-2023-2976
                   CVE-2022-42889 CVE-2022-29599 CVE-2022-25857
                   CVE-2022-1962 CVE-2021-26291 CVE-2020-7692

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2024:0778

Comment: CVSS (Max):  9.8 CVE-2022-42889 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

=====================================================================
                Red Hat Security Advisory

Synopsis:          Important: Jenkins and Jenkins-2-plugins security
                   update
Advisory ID:       RHSA-2024:0778
Product:           OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8
Advisory URL:      https://access.redhat.com/errata/RHSA-2024:0778
Issue date:        2024-02-12
CVE Names:         CVE-2020-7692 CVE-2021-26291 CVE-2022-1962 CVE-2022-25857
                   CVE-2022-29599 CVE-2022-42889 CVE-2023-2976 CVE-2023-20861
                   CVE-2023-20862 CVE-2023-24422 CVE-2023-25761 CVE-2023-25762
                   CVE-2023-26048 CVE-2023-26049 CVE-2023-27903 CVE-2023-27904
                   CVE-2023-37947 CVE-2023-40167 CVE-2023-40337 CVE-2023-40338
                   CVE-2023-40339 CVE-2023-40341 CVE-2024-23897 CVE-2024-23898
=====================================================================

1. Summary:

An update for Jenkins and Jenkins-2-plugins is now available for OpenShift
Developer Tools and Services for OCP 4.12.

Red Hat Product Security has rated this update as having a security impact of
Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

2. Relevant releases/architectures:

OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8 - noarch 

3. Description:

Jenkins is a continuous integration server that monitors executions of repeated
jobs, such as building a software project or jobs run by cron.

Security Fix(es):

* apache-commons-text: variable interpolation RCE (CVE-2022-42889)

* google-oauth-client: missing PKCE support in accordance with the RFC for OAuth
2.0 for Native Apps can lead to improper authorization (CVE-2020-7692)

* maven: Block repositories using http by default (CVE-2021-26291)

* snakeyaml: Denial of Service due to missing nested depth limitation for
collections (CVE-2022-25857)

* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)

* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script
Security Plugin (CVE-2023-24422)

* jenkins: Arbitrary file read vulnerability through the CLI can lead to RCE
(CVE-2024-23897)

* jenkins: cross-site WebSocket hijacking (CVE-2024-23898)

* golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)

* guava: insecure temporary directory creation (CVE-2023-2976)

* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)

* spring-security: Empty SecurityContext Is Not Properly Saved Upon Logout
(CVE-2023-20862)

* jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin
(CVE-2023-25761)

* jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline:
Build Step Plugin (CVE-2023-25762)

* jetty-server: OutOfMemoryError for large multipart without filename read via
request.getParameter() (CVE-2023-26048)

* jetty-server: Cookie parsing of quoted values can exfiltrate values from other
cookies (CVE-2023-26049)

* Jenkins: Open redirect vulnerability in OpenShift Login Plugin
(CVE-2023-37947)

* jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)

* jenkins-plugins: cloudbees-folder: CSRF vulnerability in Folders Plugin
(CVE-2023-40337)

* jenkins-plugins: cloudbees-folder: Information disclosure in Folders Plugin
(CVE-2023-40338)

* jenkins-plugins: config-file-provider: Improper masking of credentials in
Config File Provider Plugin (CVE-2023-40339)

* jenkins-plugins: blueocean: CSRF vulnerability in Blue Ocean Plugin allows
capturing credentials (CVE-2023-40341)

* Jenkins: Temporary file parameter created with insecure permissions
(CVE-2023-27903)

* Jenkins: Information disclosure through error stack traces related to agents
(CVE-2023-27904)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes described in
this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1856376 - CVE-2020-7692 - google-oauth-client: missing PKCE support in
accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper
authorization
1955739 - CVE-2021-26291 - maven: Block repositories using http by default 
2107376 - CVE-2022-1962 - golang: go/parser: stack exhaustion in all Parse*
functions
2126789 - CVE-2022-25857 - snakeyaml: Denial of Service due to missing nested
depth limitation for collections
2066479 - CVE-2022-29599 - maven-shared-utils: Command injection via Commandline
class
2135435 - CVE-2022-42889 - apache-commons-text: variable interpolation RCE 
2215229 - CVE-2023-2976 - guava: insecure temporary directory creation 
2180530 - CVE-2023-20861 - springframework: Spring Expression DoS Vulnerability 
2227788 - CVE-2023-20862 - spring-security: Empty SecurityContext Is Not
Properly Saved Upon Logout
2164278 - CVE-2023-24422 - jenkins-2-plugins/script-security: Sandbox bypass
vulnerability in Script Security Plugin
2170039 - CVE-2023-25761 - jenkins-2-plugins/JUnit: Stored XSS vulnerability in
JUnit Plugin
2170041 - CVE-2023-25762 - jenkins-2-plugins/pipeline-build-step: Stored XSS
vulnerability in Pipeline: Build Step Plugin
2236340 - CVE-2023-26048 - jetty-server: OutOfMemoryError for large multipart
without filename read via request.getParameter()
2236341 - CVE-2023-26049 - jetty-server: Cookie parsing of quoted values can
exfiltrate values from other cookies
2177632 - CVE-2023-27903 - Jenkins: Temporary file parameter created with
insecure permissions
2177634 - CVE-2023-27904 - Jenkins: Information disclosure through error stack
traces related to agents
2222710 - CVE-2023-37947 - Jenkins: Open redirect vulnerability in OpenShift
Login Plugin
2239634 - CVE-2023-40167 - jetty: Improper validation of HTTP/1 content-length 
2232425 - CVE-2023-40337 - jenkins-plugins: cloudbees-folder: CSRF vulnerability
in Folders Plugin
2232426 - CVE-2023-40338 - jenkins-plugins: cloudbees-folder: Information
disclosure in Folders Plugin
2232423 - CVE-2023-40339 - jenkins-plugins: config-file-provider: Improper
masking of credentials in Config File Provider Plugin
2232422 - CVE-2023-40341 - jenkins-plugins: blueocean: CSRF vulnerability in
Blue Ocean Plugin allows capturing credentials
2260180 - CVE-2024-23897 - jenkins: Arbitrary file read vulnerability through
the CLI can lead to RCE
2260182 - CVE-2024-23898 - jenkins: cross-site WebSocket hijacking 

6. Package List:

OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8

noarch:
jenkins-2-plugins-0:4.12.1706515741-1.el8.noarch.rpm
jenkins-0:2.426.3.1706515686-3.el8.noarch.rpm

Source:
jenkins-2-plugins-0:4.12.1706515741-1.el8.src.rpm
jenkins-0:2.426.3.1706515686-3.el8.src.rpm

7. References:

https://access.redhat.com/security/cve/CVE-2020-7692
https://access.redhat.com/security/cve/CVE-2021-26291
https://access.redhat.com/security/cve/CVE-2022-1962
https://access.redhat.com/security/cve/CVE-2022-25857
https://access.redhat.com/security/cve/CVE-2022-29599
https://access.redhat.com/security/cve/CVE-2022-42889
https://access.redhat.com/security/cve/CVE-2023-2976
https://access.redhat.com/security/cve/CVE-2023-20861
https://access.redhat.com/security/cve/CVE-2023-20862
https://access.redhat.com/security/cve/CVE-2023-24422
https://access.redhat.com/security/cve/CVE-2023-25761
https://access.redhat.com/security/cve/CVE-2023-25762
https://access.redhat.com/security/cve/CVE-2023-26048
https://access.redhat.com/security/cve/CVE-2023-26049
https://access.redhat.com/security/cve/CVE-2023-27903
https://access.redhat.com/security/cve/CVE-2023-27904
https://access.redhat.com/security/cve/CVE-2023-37947
https://access.redhat.com/security/cve/CVE-2023-40167
https://access.redhat.com/security/cve/CVE-2023-40337
https://access.redhat.com/security/cve/CVE-2023-40338
https://access.redhat.com/security/cve/CVE-2023-40339
https://access.redhat.com/security/cve/CVE-2023-40341
https://access.redhat.com/security/cve/CVE-2024-23897
https://access.redhat.com/security/cve/CVE-2024-23898
https://access.redhat.com/security/updates/classification/#important

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZcqxFskNZI30y1K9AQgk8g//Q8GUFszTWvYSAwjHCWRftCeQLya0IME5
Dw945D++gBKlXY8UV4qoCZUa256AwIPMyyL2cHYJGxMO4cmJonDJOVFyxTmoNuUc
8XpJTuMCoYq725E6hLw3yQ3XpNUeolXgPvFK07GEayRNK83Giud78f561TdHZkQH
ouNZfqcOx/aJj+z5rtfzBysgFRl21vUEQ5cMEBjX97+1hTgowo2nCocFkft2k0Rf
LdnJK1v3njqd3kqnRIhoLb12YvPs0TXBTryXmyx+iE4GbWTGYkSx6zQVIVmCWCsC
CtyeQ1auRqlYTxyCjta/iawGFnoXECuCgR2VdbxdXDFBFXOceU/2j+88RSd551iT
aZNWD3cfUJlf02x7A421EnkRnDJCEz79URrloURRWfQs6GC74FSaUi3U8qa3Slt/
HiKc8OZ5ddFcrnE8HUQvB0l3XO+HTBJtDb0xjy8SG6zUKlRoYIpiHIeXoDrSnWaM
opxzjBEQ0a2IKieW1ifGs1LtChmfpxjnX/T5s0cnrIWN0x8ve9ed7SRLpod4mBXg
H/LYPk/RNnhNqON+wVPwJfpExyrNYsshYaxBBLYkOo/lUm420FRT6oK/ZBgpU+sp
PME9rngN6eQp/k7BcDF9015qk78NNp5he2rlpbTLG4Am4mU7JuFNlYXKElO0nKwT
NFL1MJYFyF0=
=pKS6
-----END PGP SIGNATURE-----