-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: jenkins and jenkins-2-plugins security update Advisory ID: RHSA-2023:3622-01 Product: OpenShift Developer Tools and Services Advisory URL: https://access.redhat.com/errata/RHSA-2023:3622 Issue date: 2023-06-15 CVE Names: CVE-2022-29599 CVE-2022-30953 CVE-2022-30954 CVE-2023-1370 CVE-2023-1436 CVE-2023-20860 CVE-2023-20861 CVE-2023-27903 CVE-2023-27904 ==================================================================== 1. Summary: An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: OpenShift Developer Tools and Services for OCP 4.13 for RHEL 8 - noarch 3. Description: Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Security Fix(es): * maven-shared-utils: Command injection via Commandline class (CVE-2022-29599) * json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370) * springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860) * Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953) * Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954) * jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436) * springframework: Spring Expression DoS Vulnerability (CVE-2023-20861) * Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903) * Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2066479 - CVE-2022-29599 maven-shared-utils: Command injection via Commandline class 2119646 - CVE-2022-30953 Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin 2119647 - CVE-2022-30954 Jenkins plugin: missing permission checks in Blue Ocean Plugin 2177632 - CVE-2023-27903 Jenkins: Temporary file parameter created with insecure permissions 2177634 - CVE-2023-27904 Jenkins: Information disclosure through error stack traces related to agents 2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern 2180530 - CVE-2023-20861 springframework: Spring Expression DoS Vulnerability 2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray 2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) 6. Package List: OpenShift Developer Tools and Services for OCP 4.13 for RHEL 8: Source: jenkins-2-plugins-4.13.1686680473-1.el8.src.rpm jenkins-2.401.1.1686680404-3.el8.src.rpm noarch: jenkins-2-plugins-4.13.1686680473-1.el8.noarch.rpm jenkins-2.401.1.1686680404-3.el8.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-29599 https://access.redhat.com/security/cve/CVE-2022-30953 https://access.redhat.com/security/cve/CVE-2022-30954 https://access.redhat.com/security/cve/CVE-2023-1370 https://access.redhat.com/security/cve/CVE-2023-1436 https://access.redhat.com/security/cve/CVE-2023-20860 https://access.redhat.com/security/cve/CVE-2023-20861 https://access.redhat.com/security/cve/CVE-2023-27903 https://access.redhat.com/security/cve/CVE-2023-27904 https://access.redhat.com/security/updates/classification/#important https://docs.openshift.com/container-platform/4.13/cicd/jenkins/important-changes-to-openshift-jenkins-images.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZIsIV9zjgjWX9erEAQiXzxAAkFBO1PgaRFIdtMpH01UntLYY/Rw29jJg X3/b+Vk5btL5nt8WlFtR0CpTy4EKq9wEqLK976Er45NFGrgTFDNMDxwl0BESHdiq mXSzso57abdctD4yIfQBRAJD9ZeuiDVimx3b7OcjQaJf5uZ1E3764O2k2g8SdRXP 9SaKGs8g8nDSOtA21fTP7XxJQNrPuOcga6e/lTDniEh8VvbiEVm8l1O1Yu3Wbmn4 9py6r4AAe9OgzJ+iJvWq8IJLWA9iPH650IKWIN68ZmOyhPU7mGsekfXNrcFtMtTh D5loI7LuiNFv8ludLGB6b98osbk0m6XCYzbpUKCPq7EAmMzyPeeRXDzkxHCEywo4 ysnkGGapt2u4iYkcgrxRK0vYdF7CibWpgd6WglqZLQp/Q5HmFMOLMCtylcq9WbHs UQnNWjm6NvJWroLJXj6PadzzHzPHVgSLRm+O/Bb4ebiYlLGcem4BaAzdkK4Q4kpl G7QTsKYHyhHOiEd+6MfMjwYjWnESQ3MzgbA2+zAeTrZZkaP/zhhzEKm+PVJsqiN0 iwZl/vjqvgVRXWfTrwt8uKH+H2HSJsWfuLvqrJIzIvsSji1V4eUgZPKwdldq9zIq wrV1rePM63Zt+3tytZx6nIe97pRqqM1wKZIyVhrL38tU4RGjYRLGQIxYM7IWcMnl RYuXKRamsHk=/S5s -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce