Home / mailings [RHSA-2023:1064-01] Critical: OpenShift Developer Tools and Services for OCP 4.12 security update
Posted on 06 March 2023
RedHat===================================================================== Red Hat Security Advisory
Synopsis: Critical: OpenShift Developer Tools and Services for OCP 4.12 security update
Advisory ID: RHSA-2023:1064-01
Product: OpenShift Developer Tools and Services
Advisory URL: https://access.redhat.com/errata/RHSA-2023:1064
Issue date: 2023-03-06
CVE Names: CVE-2022-29047 CVE-2022-30952 CVE-2022-42003
CVE-2022-42004 CVE-2022-43401 CVE-2022-43402
CVE-2022-43403 CVE-2022-43404 CVE-2022-43405
CVE-2022-43406 CVE-2022-43407 CVE-2022-43408
CVE-2022-43409 CVE-2022-43410 CVE-2022-45047
=====================================================================
1. Summary:
An update for Jenkins and Jenkins-2-plugins is now available for OpenShift
Developer Tools and Services for OCP 4.12.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8 - noarch
3. Description:
Jenkins is a continuous integration server that monitors executions of
repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins
Script Security Plugin (CVE-2022-43401)
* jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline:
Groovy Plugin (CVE-2022-43402)
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins
Script Security Plugin (CVE-2022-43403)
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins
Script Security Plugin (CVE-2022-43404)
* jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in
Pipeline: Groovy Libraries Plugin (CVE-2022-43405)
* jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in
Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)
* Pipeline Shared Groovy Libraries: Untrusted users can modify some
Pipeline libraries in Pipeline Shared Groovy Libraries Plugin
(CVE-2022-29047)
* jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be
bypassed in Pipeline: Input Step Plugin (CVE-2022-43407)
* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* Jenkins plugin: User-scoped credentials exposed to other users by
Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)
* jackson-databind: deep wrapper array nesting wrt
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be
bypassed in Pipeline: Stage View Plugin (CVE-2022-43408)
* jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline:
Supporting APIs Plugin (CVE-2022-43409)
* jenkins-plugin/mercurial: Webhook endpoint discloses job names to
unauthorized users in Mercurial Plugin (CVE-2022-43410)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For important instructions on how to upgrade your cluster and fully apply
this asynchronous errata update in OpenShift Container Platform 4.12, see
the following documentation, which will be updated shortly for this
release:
https://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html
5. Bugs fixed (https://bugzilla.redhat.com/):
2074855 - CVE-2022-29047 Pipeline Shared Groovy Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin
2119645 - CVE-2022-30952 Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays
2136369 - CVE-2022-43410 jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin
2136370 - CVE-2022-43406 jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin
2136374 - CVE-2022-43405 jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin
2136379 - CVE-2022-43402 jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin
2136381 - CVE-2022-43401 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin
2136382 - CVE-2022-43403 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin
2136383 - CVE-2022-43404 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin
2136386 - CVE-2022-43407 jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin
2136388 - CVE-2022-43408 jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin
2136391 - CVE-2022-43409 jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin
2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability
6. Package List:
OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8:
Source:
jenkins-2-plugins-4.12.1675702407-1.el8.src.rpm
jenkins-2.361.4.1675702346-3.el8.src.rpm
noarch:
jenkins-2-plugins-4.12.1675702407-1.el8.noarch.rpm
jenkins-2.361.4.1675702346-3.el8.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-29047
https://access.redhat.com/security/cve/CVE-2022-30952
https://access.redhat.com/security/cve/CVE-2022-42003
https://access.redhat.com/security/cve/CVE-2022-42004
https://access.redhat.com/security/cve/CVE-2022-43401
https://access.redhat.com/security/cve/CVE-2022-43402
https://access.redhat.com/security/cve/CVE-2022-43403
https://access.redhat.com/security/cve/CVE-2022-43404
https://access.redhat.com/security/cve/CVE-2022-43405
https://access.redhat.com/security/cve/CVE-2022-43406
https://access.redhat.com/security/cve/CVE-2022-43407
https://access.redhat.com/security/cve/CVE-2022-43408
https://access.redhat.com/security/cve/CVE-2022-43409
https://access.redhat.com/security/cve/CVE-2022-43410
https://access.redhat.com/security/cve/CVE-2022-45047
https://access.redhat.com/security/updates/classification/#critical
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.