-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2024.0905
               jenkins and jenkins-2-plugins security update
                             13 February 2024

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           jenkins
                   jenkins-2-plugins
Publisher:         Red Hat
Operating System:  Red Hat
Resolution:        Patch/Upgrade
CVE Names:         CVE-2024-23898 CVE-2024-23897 CVE-2023-37946
                   CVE-2023-25762 CVE-2023-25761 CVE-2023-24422
                   CVE-2022-42889 CVE-2022-29599 CVE-2022-25857
                   CVE-2021-26291  

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2024:0776

Comment: CVSS (Max):  9.8 CVE-2022-42889 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

=====================================================================
                Red Hat Security Advisory

Synopsis:          Important: jenkins and jenkins-2-plugins security
                   update
Advisory ID:       RHSA-2024:0776
Product:           OpenShift Developer Tools and Services for OCP 4.13 for RHEL 8
Advisory URL:      https://access.redhat.com/errata/RHSA-2024:0776
Issue date:        2024-02-12
CVE Names:         CVE-2021-26291 CVE-2022-25857 CVE-2022-29599 CVE-2022-42889
                   CVE-2023-24422 CVE-2023-25761 CVE-2023-25762 CVE-2023-37946
                   CVE-2024-23897 CVE-2024-23898
=====================================================================

1. Summary:

An update for jenkins and jenkins-2-plugins is now available for OpenShift
Developer Tools and Services for OCP 4.13.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

2. Relevant releases/architectures:

OpenShift Developer Tools and Services for OCP 4.13 for RHEL 8 - noarch 

3. Description:

Jenkins is a continuous integration server that monitors executions of repeated
jobs, such as building a software project or jobs run by cron.

Security Fix(es):

* apache-commons-text: variable interpolation RCE (CVE-2022-42889)

* maven: Block repositories using http by default (CVE-2021-26291)

* snakeyaml: Denial of Service due to missing nested depth limitation for
collections (CVE-2022-25857)

* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)

* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script
Security Plugin (CVE-2023-24422)

* Jenkins: Session fixation vulnerability in OpenShift Login Plugin
(CVE-2023-37946)

* jenkins: Arbitrary file read vulnerability through the CLI can lead to RCE
(CVE-2024-23897)

* jenkins: cross-site WebSocket hijacking (CVE-2024-23898)

* jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin
(CVE-2023-25761)

* jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline:
Build Step Plugin (CVE-2023-25762)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes described in
this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1955739 - CVE-2021-26291 - maven: Block repositories using http by default 
2126789 - CVE-2022-25857 - snakeyaml: Denial of Service due to missing nested
depth limitation for collections
2066479 - CVE-2022-29599 - maven-shared-utils: Command injection via Commandline
class
2135435 - CVE-2022-42889 - apache-commons-text: variable interpolation RCE 
2164278 - CVE-2023-24422 - jenkins-2-plugins/script-security: Sandbox bypass
vulnerability in Script Security Plugin
2170039 - CVE-2023-25761 - jenkins-2-plugins/JUnit: Stored XSS vulnerability in
JUnit Plugin
2170041 - CVE-2023-25762 - jenkins-2-plugins/pipeline-build-step: Stored XSS
vulnerability in Pipeline: Build Step Plugin
2222709 - CVE-2023-37946 - Jenkins: Session fixation vulnerability in OpenShift
Login Plugin
2260180 - CVE-2024-23897 - jenkins: Arbitrary file read vulnerability through
the CLI can lead to RCE
2260182 - CVE-2024-23898 - jenkins: cross-site WebSocket hijacking 

6. Package List:

OpenShift Developer Tools and Services for OCP 4.13 for RHEL 8

noarch:
jenkins-2-plugins-0:4.13.1706516346-1.el8.noarch.rpm
jenkins-0:2.426.3.1706516254-3.el8.noarch.rpm

Source:
jenkins-2-plugins-0:4.13.1706516346-1.el8.src.rpm
jenkins-0:2.426.3.1706516254-3.el8.src.rpm

7. References:

https://access.redhat.com/security/cve/CVE-2021-26291
https://access.redhat.com/security/cve/CVE-2022-25857
https://access.redhat.com/security/cve/CVE-2022-29599
https://access.redhat.com/security/cve/CVE-2022-42889
https://access.redhat.com/security/cve/CVE-2023-24422
https://access.redhat.com/security/cve/CVE-2023-25761
https://access.redhat.com/security/cve/CVE-2023-25762
https://access.redhat.com/security/cve/CVE-2023-37946
https://access.redhat.com/security/cve/CVE-2024-23897
https://access.redhat.com/security/cve/CVE-2024-23898
https://access.redhat.com/security/updates/classification/#important

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZcqxKskNZI30y1K9AQgROw/7BwcqecpM1Muh7RPUDRDwIcT+AnJHYXYk
GY1I+sC1nC1O/FhmPrycJXvASNopL+JP7DAuOkgRyo7mqtaPgkYgWjV85sF/SlLp
XSLd1HW+cFVHqFSket521KTdJ3b3mxETCs2qxqrceW+gBIQEzNU2v22BcmGtCLRT
a0dX3N99IU8fH6z4/4ucAqaK6sGnBUcObj0A0tmglK1Y1S4yGv6O43EvC+3bQ4da
JhxST8gssaFXoP0Ez4m53VzxpTApDoPPw/p9pLr2I6rgTZAjvul0xkYtW6oZ/aw6
2ZLq4CXdKKZHAR6OCpcw7Zy0MikAktnD87trsVwmxXs1NLQxR3wcwljQm8QkjCKr
AjTgxKd61hvSuL4VSo8IdOh+wsr0RbBOPNaPBCy6nXbVR0IQZlgZSrCbSmZYtfc/
WS7GLgHAudQxWaAeFSEvNfp4IKui2+bssDN7McYBZVMpqfI1cEOqa/dGE+g9DVTe
jwP56Wwl4yQ85ObdlXB8DDSjdJNsh5XXmvjWoEzg4kwbZASeowP7neNVE1Cv02E2
FZTjo3P/0JRp6h6YRPW8R4wOcM4Ad9OKUaqkIrgzS4QYeX/XXlkvhjXC3N4R2uCr
r2CPwmCnBbGFQ4bi1j7lsxZuD66yyubecuD8mhhoSKF+ctETPtZsxrAu81KpZmp7
/lMUq6j6KTE=
=VBi3
-----END PGP SIGNATURE-----