-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: jenkins and jenkins-2-plugins security update
Advisory ID:       RHSA-2023:3610-01
Product:           OpenShift Developer Tools and Services
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3610
Issue date:        2023-06-15
CVE Names:         CVE-2021-46877 CVE-2022-29599 CVE-2022-30953 
                   CVE-2022-30954 CVE-2022-40149 CVE-2022-40150 
                   CVE-2022-41723 CVE-2022-45693 CVE-2023-1370 
                   CVE-2023-20860 CVE-2023-20861 CVE-2023-24422 
                   CVE-2023-32977 CVE-2023-32981 
====================================================================
1. Summary:

An update for jenkins and jenkins-2-plugins is now available for OpenShift
Developer Tools and Services for OCP 4.12.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8 - noarch

3. Description:

Jenkins is a continuous integration server that monitors executions of
repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

* maven-shared-utils: Command injection via Commandline class
(CVE-2022-29599)

* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart
(Resource Exhaustion) (CVE-2023-1370)

* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
(CVE-2023-20860)

* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script
Security Plugin (CVE-2023-24422)

* jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job
Plugin (CVE-2023-32977)

* jackson-databind: Possible DoS if using JDK serialization to serialize
JsonNode (CVE-2021-46877)

* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)

* Jenkins plugin: missing permission checks in Blue Ocean Plugin
(CVE-2022-30954)

* jettison: parser crash by stackoverflow (CVE-2022-40149)

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK
decoding (CVE-2022-41723)

* jettison:  If the value in map is the map's self, the new new
JSONObject(map) cause StackOverflowError which may lead to dos
(CVE-2022-45693)

* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)

* jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write
vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981)

* jettison: memory exhaustion via user-supplied XML or JSON data
(CVE-2022-40150)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2066479 - CVE-2022-29599 maven-shared-utils: Command injection via Commandline class
2119646 - CVE-2022-30953 Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin
2119647 - CVE-2022-30954 Jenkins plugin: missing permission checks in Blue Ocean Plugin
2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data
2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow
2155970 - CVE-2022-45693 jettison:  If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos
2164278 - CVE-2023-24422 jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin
2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
2180530 - CVE-2023-20861 springframework: Spring Expression DoS Vulnerability
2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode
2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)
2207830 - CVE-2023-32977 jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin
2207835 - CVE-2023-32981 jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin

6. Package List:

OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8:

Source:
jenkins-2-plugins-4.12.1686649756-1.el8.src.rpm
jenkins-2.401.1.1686649641-3.el8.src.rpm

noarch:
jenkins-2-plugins-4.12.1686649756-1.el8.noarch.rpm
jenkins-2.401.1.1686649641-3.el8.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-46877
https://access.redhat.com/security/cve/CVE-2022-29599
https://access.redhat.com/security/cve/CVE-2022-30953
https://access.redhat.com/security/cve/CVE-2022-30954
https://access.redhat.com/security/cve/CVE-2022-40149
https://access.redhat.com/security/cve/CVE-2022-40150
https://access.redhat.com/security/cve/CVE-2022-41723
https://access.redhat.com/security/cve/CVE-2022-45693
https://access.redhat.com/security/cve/CVE-2023-1370
https://access.redhat.com/security/cve/CVE-2023-20860
https://access.redhat.com/security/cve/CVE-2023-20861
https://access.redhat.com/security/cve/CVE-2023-24422
https://access.redhat.com/security/cve/CVE-2023-32977
https://access.redhat.com/security/cve/CVE-2023-32981
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZIpfuNzjgjWX9erEAQgVTQ//RoKN2zjvmL/IsBBSk3Uxfv/mrixVhb1v
kCZY6rPODxDExQ65zcu1cjvM6jTICDmqIBkZCLlVMrQC/zNTM9QnwGeF/tstuUEO
Rz1jTC0N/8pPBHHQ6ngA/P4YX+X7nSwxDmE8oB9wPRBqMGdzNTQtyrELZ5tfUei/
pc1r71HcdJUih416Wj4qm5T7zyTvEdgyXUFHoOpkUHOOPx93b5l+iI8ZfSEnfmFW
+3zck15+ffNZPnWLMkVXcwpq356e0jJUriZdpgDtS6pqfiLP/VxAZ3A7aPEtyJ2g
SGolsN44ie/JbTLWNNe7xNTlgz8yBttn6TxekspUqxeoZxBPbFuzRJCmolp8VXJl
jSwSiSL2uJ2HujNQLORfMndDgKy0cC/npnhHSOI8aXHtFdo69Qhlc0zAiY4951hS
6zwKeTQoY0Q6JgmaDqkgDM5bvR1L5T3KuLYEDmEuJz3hhS9j/1BBXJsgP2bLgG7q
9gYhxr8rpmGno9za+zqUqSP4qkfFgFmTaGz2frf8udaHo2GcSq8xkw/vi5N/QfwL
MwAGzFX09P+YzMBFspBA1BxOYKdc0fnCUni18AzwnBXweAoi/hEsUpX/OUuV2xJj
7qwXyzxFXu5XNOOYAkn2S85OCACAI+EqPuv4QeQmJaQVXm2bHiDZyehcOveSR0Fp
2N2NeKUt0Tg=j0+7
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-3610:01 Important: jenkins and jenkins-2-plugins security

An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12

Summary

Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)
* jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)
* jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)
* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)
* Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
* jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2021-46877 https://access.redhat.com/security/cve/CVE-2022-29599 https://access.redhat.com/security/cve/CVE-2022-30953 https://access.redhat.com/security/cve/CVE-2022-30954 https://access.redhat.com/security/cve/CVE-2022-40149 https://access.redhat.com/security/cve/CVE-2022-40150 https://access.redhat.com/security/cve/CVE-2022-41723 https://access.redhat.com/security/cve/CVE-2022-45693 https://access.redhat.com/security/cve/CVE-2023-1370 https://access.redhat.com/security/cve/CVE-2023-20860 https://access.redhat.com/security/cve/CVE-2023-20861 https://access.redhat.com/security/cve/CVE-2023-24422 https://access.redhat.com/security/cve/CVE-2023-32977 https://access.redhat.com/security/cve/CVE-2023-32981 https://access.redhat.com/security/updates/classification/#important

Package List

OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8:
Source: jenkins-2-plugins-4.12.1686649756-1.el8.src.rpm jenkins-2.401.1.1686649641-3.el8.src.rpm
noarch: jenkins-2-plugins-4.12.1686649756-1.el8.noarch.rpm jenkins-2.401.1.1686649641-3.el8.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2023:3610-01
Product: OpenShift Developer Tools and Services
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3610
Issued Date: : 2023-06-15
CVE Names: CVE-2021-46877 CVE-2022-29599 CVE-2022-30953 CVE-2022-30954 CVE-2022-40149 CVE-2022-40150 CVE-2022-41723 CVE-2022-45693 CVE-2023-1370 CVE-2023-20860 CVE-2023-20861 CVE-2023-24422 CVE-2023-32977 CVE-2023-32981

Topic

An update for jenkins and jenkins-2-plugins is now available for OpenShiftDeveloper Tools and Services for OCP 4.12.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8 - noarch


Bugs Fixed

2066479 - CVE-2022-29599 maven-shared-utils: Command injection via Commandline class

2119646 - CVE-2022-30953 Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin

2119647 - CVE-2022-30954 Jenkins plugin: missing permission checks in Blue Ocean Plugin

2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data

2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow

2155970 - CVE-2022-45693 jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos

2164278 - CVE-2023-24422 jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin

2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding

2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern

2180530 - CVE-2023-20861 springframework: Spring Expression DoS Vulnerability

2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode

2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)

2207830 - CVE-2023-32977 jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin

2207835 - CVE-2023-32981 jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin


Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved