-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: jenkins and jenkins-2-plugins security update
Advisory ID:       RHSA-2023:3663-01
Product:           OpenShift Developer Tools and Services
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3663
Issue date:        2023-06-19
CVE Names:         CVE-2022-2048 CVE-2022-22976 CVE-2022-40149 
                   CVE-2022-40150 CVE-2022-41966 CVE-2022-42003 
                   CVE-2022-42004 CVE-2023-1370 CVE-2023-1436 
                   CVE-2023-20860 CVE-2023-26464 CVE-2023-27898 
                   CVE-2023-27899 CVE-2023-27903 CVE-2023-27904 
                   CVE-2023-32977 CVE-2023-32981 
====================================================================
1. Summary:

An update for jenkins and jenkins-2-plugins is now available for OpenShift
Developer Tools and Services for OCP 4.11.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8 - noarch

3. Description:

Jenkins is a continuous integration server that monitors executions of
repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

* xstream: Denial of Service by injecting recursive collections or maps
based on element's hash values raising a stack overflow (CVE-2022-41966)

* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart
(Resource Exhaustion) (CVE-2023-1370)

* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
(CVE-2023-20860)

* log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging
(CVE-2023-26464)

* Jenkins: XSS vulnerability in plugin manager (CVE-2023-27898)

* Jenkins: Temporary plugin file created with insecure permissions
(CVE-2023-27899)

* jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job
Plugin (CVE-2023-32977)

* http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)

* springframework: BCrypt skips salt rounds for work factor of 31
(CVE-2022-22976)

* jettison: parser crash by stackoverflow (CVE-2022-40149)

* jackson-databind: deep wrapper array nesting wrt
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)

* jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write
vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981)

* jettison: memory exhaustion via user-supplied XML or JSON data
(CVE-2022-40150)

* Jenkins: Temporary file parameter created with insecure permissions
(CVE-2023-27903)

* Jenkins: Information disclosure through error stack traces related to
agents (CVE-2023-27904)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2087214 - CVE-2022-22976 springframework: BCrypt skips salt rounds for work factor of 31
2116952 - CVE-2022-2048 http2-server: Invalid HTTP/2 requests cause DoS
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays
2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data
2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow
2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow
2177626 - CVE-2023-27899 Jenkins: Temporary plugin file created with insecure permissions
2177629 - CVE-2023-27898 Jenkins: XSS vulnerability in plugin manager
2177632 - CVE-2023-27903 Jenkins: Temporary file parameter created with insecure permissions
2177634 - CVE-2023-27904 Jenkins: Information disclosure through error stack traces related to agents
2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray
2182864 - CVE-2023-26464 log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging
2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)
2207830 - CVE-2023-32977 jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin
2207835 - CVE-2023-32981 jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin

6. Package List:

OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8:

Source:
jenkins-2-plugins-4.11.1686831822-1.el8.src.rpm
jenkins-2.401.1.1686831596-3.el8.src.rpm

noarch:
jenkins-2-plugins-4.11.1686831822-1.el8.noarch.rpm
jenkins-2.401.1.1686831596-3.el8.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2048
https://access.redhat.com/security/cve/CVE-2022-22976
https://access.redhat.com/security/cve/CVE-2022-40149
https://access.redhat.com/security/cve/CVE-2022-40150
https://access.redhat.com/security/cve/CVE-2022-41966
https://access.redhat.com/security/cve/CVE-2022-42003
https://access.redhat.com/security/cve/CVE-2022-42004
https://access.redhat.com/security/cve/CVE-2023-1370
https://access.redhat.com/security/cve/CVE-2023-1436
https://access.redhat.com/security/cve/CVE-2023-20860
https://access.redhat.com/security/cve/CVE-2023-26464
https://access.redhat.com/security/cve/CVE-2023-27898
https://access.redhat.com/security/cve/CVE-2023-27899
https://access.redhat.com/security/cve/CVE-2023-27903
https://access.redhat.com/security/cve/CVE-2023-27904
https://access.redhat.com/security/cve/CVE-2023-32977
https://access.redhat.com/security/cve/CVE-2023-32981
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZJBOjdzjgjWX9erEAQiIaxAAqRYmp33KBW/CzJxQJPBVI+FFOVBPJw4N
FtPLHkS8dOc1jn8G9iFNB65yJIRNR22P7pMgAeLTxQdKfSRcqXATnRb9KeGyS9rc
zywKYyEgnijy6vw/0fU1xFl6nWxvmQILZbE74ifH0viiyjRRHsNmtNt4Qxad3FGI
UFrmJ56s4YozyfbWtuZmbgtAeQ7BvuofSLaDPUDAcycsVdZ09QOlZjjRF1P06b+S
Qd4pivaACd1ofI6lmLXsF2cU+iSbOs8N9NyVEBgh/K7BdevBvcpivvb6E24GuNu8
2YvG+cY5fdv3Z+LIrr3OSepH9PIRcJqKFmMCBPxHQ0K74dv3Vu1xzNyLf+dfy7xZ
qerl648jXX2OQ6uOb4nYCG+F9OL0VKIVLluNQE9nPtkTe1S/HNAjMIwl15jl/td0
fhjQrDCs6xRV4/tu+UvwC6cbyoEJES0WAsveF0vwKTN3+4Bq+DpPv29zbRwv+rXY
MlVqM4LsNwK0u9DiuoAPr5/l8irCwD9ekGyaoSyclOLYfhixXc2A0sowRxA6adPt
IyBKKn4R6k/Rsm10KyRn6zSSwFjnFemgf30yLpnq2kffjHcZfakpeTbgS5VkRIdG
SNA+ZZAYQXfK41I9kVQj82cxBEeeomdTvSYo7+IErUcEAATL+CJZO7RyF8rLJe8z
9EuOj2l9FI4=nbrJ
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-3663:01 Important: jenkins and jenkins-2-plugins security

An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.11

Summary

Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging (CVE-2023-26464)
* Jenkins: XSS vulnerability in plugin manager (CVE-2023-27898)
* Jenkins: Temporary plugin file created with insecure permissions (CVE-2023-27899)
* jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)
* http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)
* springframework: BCrypt skips salt rounds for work factor of 31 (CVE-2022-22976)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
* jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)
* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2022-2048 https://access.redhat.com/security/cve/CVE-2022-22976 https://access.redhat.com/security/cve/CVE-2022-40149 https://access.redhat.com/security/cve/CVE-2022-40150 https://access.redhat.com/security/cve/CVE-2022-41966 https://access.redhat.com/security/cve/CVE-2022-42003 https://access.redhat.com/security/cve/CVE-2022-42004 https://access.redhat.com/security/cve/CVE-2023-1370 https://access.redhat.com/security/cve/CVE-2023-1436 https://access.redhat.com/security/cve/CVE-2023-20860 https://access.redhat.com/security/cve/CVE-2023-26464 https://access.redhat.com/security/cve/CVE-2023-27898 https://access.redhat.com/security/cve/CVE-2023-27899 https://access.redhat.com/security/cve/CVE-2023-27903 https://access.redhat.com/security/cve/CVE-2023-27904 https://access.redhat.com/security/cve/CVE-2023-32977 https://access.redhat.com/security/cve/CVE-2023-32981 https://access.redhat.com/security/updates/classification/#important

Package List

OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8:
Source: jenkins-2-plugins-4.11.1686831822-1.el8.src.rpm jenkins-2.401.1.1686831596-3.el8.src.rpm
noarch: jenkins-2-plugins-4.11.1686831822-1.el8.noarch.rpm jenkins-2.401.1.1686831596-3.el8.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2023:3663-01
Product: OpenShift Developer Tools and Services
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3663
Issued Date: : 2023-06-19
CVE Names: CVE-2022-2048 CVE-2022-22976 CVE-2022-40149 CVE-2022-40150 CVE-2022-41966 CVE-2022-42003 CVE-2022-42004 CVE-2023-1370 CVE-2023-1436 CVE-2023-20860 CVE-2023-26464 CVE-2023-27898 CVE-2023-27899 CVE-2023-27903 CVE-2023-27904 CVE-2023-32977 CVE-2023-32981

Topic

An update for jenkins and jenkins-2-plugins is now available for OpenShiftDeveloper Tools and Services for OCP 4.11.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8 - noarch


Bugs Fixed

2087214 - CVE-2022-22976 springframework: BCrypt skips salt rounds for work factor of 31

2116952 - CVE-2022-2048 http2-server: Invalid HTTP/2 requests cause DoS

2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS

2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays

2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data

2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow

2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow

2177626 - CVE-2023-27899 Jenkins: Temporary plugin file created with insecure permissions

2177629 - CVE-2023-27898 Jenkins: XSS vulnerability in plugin manager

2177632 - CVE-2023-27903 Jenkins: Temporary file parameter created with insecure permissions

2177634 - CVE-2023-27904 Jenkins: Information disclosure through error stack traces related to agents

2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern

2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray

2182864 - CVE-2023-26464 log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging

2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)

2207830 - CVE-2023-32977 jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin

2207835 - CVE-2023-32981 jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin


Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved