-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: jenkins and jenkins-2-plugins security update Advisory ID: RHSA-2023:3663-01 Product: OpenShift Developer Tools and Services Advisory URL: https://access.redhat.com/errata/RHSA-2023:3663 Issue date: 2023-06-19 CVE Names: CVE-2022-2048 CVE-2022-22976 CVE-2022-40149 CVE-2022-40150 CVE-2022-41966 CVE-2022-42003 CVE-2022-42004 CVE-2023-1370 CVE-2023-1436 CVE-2023-20860 CVE-2023-26464 CVE-2023-27898 CVE-2023-27899 CVE-2023-27903 CVE-2023-27904 CVE-2023-32977 CVE-2023-32981 ===================================================================== 1. Summary: An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8 - noarch 3. Description: Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Security Fix(es): * xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966) * json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370) * springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860) * log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging (CVE-2023-26464) * Jenkins: XSS vulnerability in plugin manager (CVE-2023-27898) * Jenkins: Temporary plugin file created with insecure permissions (CVE-2023-27899) * jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977) * http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048) * springframework: BCrypt skips salt rounds for work factor of 31 (CVE-2022-22976) * jettison: parser crash by stackoverflow (CVE-2022-40149) * jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003) * jackson-databind: use of deeply nested arrays (CVE-2022-42004) * jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436) * jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981) * jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150) * Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903) * Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2087214 - CVE-2022-22976 springframework: BCrypt skips salt rounds for work factor of 31 2116952 - CVE-2022-2048 http2-server: Invalid HTTP/2 requests cause DoS 2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS 2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays 2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data 2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow 2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow 2177626 - CVE-2023-27899 Jenkins: Temporary plugin file created with insecure permissions 2177629 - CVE-2023-27898 Jenkins: XSS vulnerability in plugin manager 2177632 - CVE-2023-27903 Jenkins: Temporary file parameter created with insecure permissions 2177634 - CVE-2023-27904 Jenkins: Information disclosure through error stack traces related to agents 2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern 2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray 2182864 - CVE-2023-26464 log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging 2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) 2207830 - CVE-2023-32977 jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin 2207835 - CVE-2023-32981 jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin 6. Package List: OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8: Source: jenkins-2-plugins-4.11.1686831822-1.el8.src.rpm jenkins-2.401.1.1686831596-3.el8.src.rpm noarch: jenkins-2-plugins-4.11.1686831822-1.el8.noarch.rpm jenkins-2.401.1.1686831596-3.el8.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-2048 https://access.redhat.com/security/cve/CVE-2022-22976 https://access.redhat.com/security/cve/CVE-2022-40149 https://access.redhat.com/security/cve/CVE-2022-40150 https://access.redhat.com/security/cve/CVE-2022-41966 https://access.redhat.com/security/cve/CVE-2022-42003 https://access.redhat.com/security/cve/CVE-2022-42004 https://access.redhat.com/security/cve/CVE-2023-1370 https://access.redhat.com/security/cve/CVE-2023-1436 https://access.redhat.com/security/cve/CVE-2023-20860 https://access.redhat.com/security/cve/CVE-2023-26464 https://access.redhat.com/security/cve/CVE-2023-27898 https://access.redhat.com/security/cve/CVE-2023-27899 https://access.redhat.com/security/cve/CVE-2023-27903 https://access.redhat.com/security/cve/CVE-2023-27904 https://access.redhat.com/security/cve/CVE-2023-32977 https://access.redhat.com/security/cve/CVE-2023-32981 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZJBOjdzjgjWX9erEAQiIaxAAqRYmp33KBW/CzJxQJPBVI+FFOVBPJw4N FtPLHkS8dOc1jn8G9iFNB65yJIRNR22P7pMgAeLTxQdKfSRcqXATnRb9KeGyS9rc zywKYyEgnijy6vw/0fU1xFl6nWxvmQILZbE74ifH0viiyjRRHsNmtNt4Qxad3FGI UFrmJ56s4YozyfbWtuZmbgtAeQ7BvuofSLaDPUDAcycsVdZ09QOlZjjRF1P06b+S Qd4pivaACd1ofI6lmLXsF2cU+iSbOs8N9NyVEBgh/K7BdevBvcpivvb6E24GuNu8 2YvG+cY5fdv3Z+LIrr3OSepH9PIRcJqKFmMCBPxHQ0K74dv3Vu1xzNyLf+dfy7xZ qerl648jXX2OQ6uOb4nYCG+F9OL0VKIVLluNQE9nPtkTe1S/HNAjMIwl15jl/td0 fhjQrDCs6xRV4/tu+UvwC6cbyoEJES0WAsveF0vwKTN3+4Bq+DpPv29zbRwv+rXY MlVqM4LsNwK0u9DiuoAPr5/l8irCwD9ekGyaoSyclOLYfhixXc2A0sowRxA6adPt IyBKKn4R6k/Rsm10KyRn6zSSwFjnFemgf30yLpnq2kffjHcZfakpeTbgS5VkRIdG SNA+ZZAYQXfK41I9kVQj82cxBEeeomdTvSYo7+IErUcEAATL+CJZO7RyF8rLJe8z 9EuOj2l9FI4= =nbrJ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce