rhsa-2019_1636
Vulnerability from csaf_redhat
Published
2019-07-03 11:56
Modified
2024-11-05 21:11
Summary
Red Hat Security Advisory: OpenShift Container Platform 4.1 jenkins-2-plugins security update

Notes

Topic
An update for jenkins-2-plugins is now available for Red Hat OpenShift Container Platform 4.1. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
This advisory contains the jenkins-2-plugins RPM packages for Red Hat OpenShift Container Platform 4.1.4. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHBA-2019:1635 Security Fix(es): * jenkins-plugin-workflow-remote-loader: Unsafe Script Security whitelist entry in Pipeline Remote Loader Plugin (CVE-2019-10328) * jenkins-credentials-plugin: Certificate file read vulnerability in Credentials Plugin (CVE-2019-10320) * jenkins-plugin-token-macro: XML External Entity processing the ${XML} macro (CVE-2019-10337) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. You may download the oc tool and use it to inspect release image metadata as follows: $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.1.4 The image digest is sha256:a6c177eb007d20bb00bfd8f829e99bd40137167480112bd5ae1c25e40a4a163a All OpenShift Container Platform 4.1 users are advised to upgrade to these updated packages and images.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.


To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for jenkins-2-plugins is now available for Red Hat OpenShift\nContainer Platform 4.1.\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This advisory contains the jenkins-2-plugins RPM packages for Red Hat\nOpenShift Container Platform 4.1.4. See the following advisory for the\ncontainer images for this release:\n\nhttps://access.redhat.com/errata/RHBA-2019:1635\n\nSecurity Fix(es):\n\n* jenkins-plugin-workflow-remote-loader: Unsafe Script Security whitelist \nentry in Pipeline Remote Loader Plugin (CVE-2019-10328)\n\n* jenkins-credentials-plugin: Certificate file read vulnerability in\nCredentials Plugin (CVE-2019-10320)\n\n* jenkins-plugin-token-macro: XML External Entity processing the ${XML}\nmacro (CVE-2019-10337)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section.\n\nYou may download the oc tool and use it to inspect release image metadata\nas follows:\n\n  $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.1.4\n\nThe image digest is sha256:a6c177eb007d20bb00bfd8f829e99bd40137167480112bd5ae1c25e40a4a163a\n\nAll OpenShift Container Platform 4.1 users are advised to upgrade to these\nupdated packages and images.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2019:1636",
        "url": "https://access.redhat.com/errata/RHSA-2019:1636"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "1714054",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1714054"
      },
      {
        "category": "external",
        "summary": "1716794",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1716794"
      },
      {
        "category": "external",
        "summary": "1719782",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1719782"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_1636.json"
      }
    ],
    "title": "Red Hat Security Advisory: OpenShift Container Platform 4.1 jenkins-2-plugins security update",
    "tracking": {
      "current_release_date": "2024-11-05T21:11:36+00:00",
      "generator": {
        "date": "2024-11-05T21:11:36+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.1.1"
        }
      },
      "id": "RHSA-2019:1636",
      "initial_release_date": "2019-07-03T11:56:08+00:00",
      "revision_history": [
        {
          "date": "2019-07-03T11:56:08+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2019-07-03T11:56:08+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-05T21:11:36+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat OpenShift Container Platform 4.1",
                "product": {
                  "name": "Red Hat OpenShift Container Platform 4.1",
                  "product_id": "7Server-RH7-RHOSE-4.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift:4.1::el7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift Enterprise"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jenkins-2-plugins-0:4.1.1561471763-1.el7.src",
                "product": {
                  "name": "jenkins-2-plugins-0:4.1.1561471763-1.el7.src",
                  "product_id": "jenkins-2-plugins-0:4.1.1561471763-1.el7.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.1.1561471763-1.el7?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jenkins-2-plugins-0:4.1.1561471763-1.el7.noarch",
                "product": {
                  "name": "jenkins-2-plugins-0:4.1.1561471763-1.el7.noarch",
                  "product_id": "jenkins-2-plugins-0:4.1.1561471763-1.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.1.1561471763-1.el7?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-2-plugins-0:4.1.1561471763-1.el7.noarch as a component of Red Hat OpenShift Container Platform 4.1",
          "product_id": "7Server-RH7-RHOSE-4.1:jenkins-2-plugins-0:4.1.1561471763-1.el7.noarch"
        },
        "product_reference": "jenkins-2-plugins-0:4.1.1561471763-1.el7.noarch",
        "relates_to_product_reference": "7Server-RH7-RHOSE-4.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-2-plugins-0:4.1.1561471763-1.el7.src as a component of Red Hat OpenShift Container Platform 4.1",
          "product_id": "7Server-RH7-RHOSE-4.1:jenkins-2-plugins-0:4.1.1561471763-1.el7.src"
        },
        "product_reference": "jenkins-2-plugins-0:4.1.1561471763-1.el7.src",
        "relates_to_product_reference": "7Server-RH7-RHOSE-4.1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-10320",
      "cwe": {
        "id": "CWE-522",
        "name": "Insufficiently Protected Credentials"
      },
      "discovery_date": "2019-05-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1714054"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jenkins-credentials-plugin: Certificate file read vulnerability in Credentials Plugin (SECURITY-1322)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RH7-RHOSE-4.1:jenkins-2-plugins-0:4.1.1561471763-1.el7.noarch",
          "7Server-RH7-RHOSE-4.1:jenkins-2-plugins-0:4.1.1561471763-1.el7.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-10320"
        },
        {
          "category": "external",
          "summary": "RHBZ#1714054",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1714054"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-10320",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-10320"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10320",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10320"
        },
        {
          "category": "external",
          "summary": "https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1322",
          "url": "https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1322"
        }
      ],
      "release_date": "2019-05-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-07-03T11:56:08+00:00",
          "details": "For OpenShift Container Platform 4.1 see the following documentation, which\nwill be updated shortly for release 4.1.4, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-release-notes.html",
          "product_ids": [
            "7Server-RH7-RHOSE-4.1:jenkins-2-plugins-0:4.1.1561471763-1.el7.noarch",
            "7Server-RH7-RHOSE-4.1:jenkins-2-plugins-0:4.1.1561471763-1.el7.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:1636"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "7Server-RH7-RHOSE-4.1:jenkins-2-plugins-0:4.1.1561471763-1.el7.noarch",
            "7Server-RH7-RHOSE-4.1:jenkins-2-plugins-0:4.1.1561471763-1.el7.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jenkins-credentials-plugin: Certificate file read vulnerability in Credentials Plugin (SECURITY-1322)"
    },
    {
      "cve": "CVE-2019-10328",
      "cwe": {
        "id": "CWE-184",
        "name": "Incomplete List of Disallowed Inputs"
      },
      "discovery_date": "2019-06-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1716794"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Jenkins Workflow Remote Loader plugin. An unsafe whitelist entry was made that allowed invoking arbitrary methods and bypassing sandbox protection. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jenkins-plugin-workflow-remote-loader: Unsafe Script Security whitelist entry in Pipeline Remote Loader Plugin (SECURITY-921)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RH7-RHOSE-4.1:jenkins-2-plugins-0:4.1.1561471763-1.el7.noarch",
          "7Server-RH7-RHOSE-4.1:jenkins-2-plugins-0:4.1.1561471763-1.el7.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-10328"
        },
        {
          "category": "external",
          "summary": "RHBZ#1716794",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1716794"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-10328",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-10328"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10328",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10328"
        },
        {
          "category": "external",
          "summary": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-921",
          "url": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-921"
        }
      ],
      "release_date": "2019-05-31T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-07-03T11:56:08+00:00",
          "details": "For OpenShift Container Platform 4.1 see the following documentation, which\nwill be updated shortly for release 4.1.4, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-release-notes.html",
          "product_ids": [
            "7Server-RH7-RHOSE-4.1:jenkins-2-plugins-0:4.1.1561471763-1.el7.noarch",
            "7Server-RH7-RHOSE-4.1:jenkins-2-plugins-0:4.1.1561471763-1.el7.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:1636"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "7Server-RH7-RHOSE-4.1:jenkins-2-plugins-0:4.1.1561471763-1.el7.noarch",
            "7Server-RH7-RHOSE-4.1:jenkins-2-plugins-0:4.1.1561471763-1.el7.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "jenkins-plugin-workflow-remote-loader: Unsafe Script Security whitelist entry in Pipeline Remote Loader Plugin (SECURITY-921)"
    },
    {
      "cve": "CVE-2019-10337",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2019-06-12T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1719782"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2.7 and earlier allowed attackers able to control a the content of the input file for the \"XML\" macro to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jenkins-plugin-token-macro: XML External Entity processing the ${XML} macro",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RH7-RHOSE-4.1:jenkins-2-plugins-0:4.1.1561471763-1.el7.noarch",
          "7Server-RH7-RHOSE-4.1:jenkins-2-plugins-0:4.1.1561471763-1.el7.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-10337"
        },
        {
          "category": "external",
          "summary": "RHBZ#1719782",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1719782"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-10337",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-10337"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10337",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10337"
        },
        {
          "category": "external",
          "summary": "https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1399",
          "url": "https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1399"
        }
      ],
      "release_date": "2019-06-11T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-07-03T11:56:08+00:00",
          "details": "For OpenShift Container Platform 4.1 see the following documentation, which\nwill be updated shortly for release 4.1.4, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-release-notes.html",
          "product_ids": [
            "7Server-RH7-RHOSE-4.1:jenkins-2-plugins-0:4.1.1561471763-1.el7.noarch",
            "7Server-RH7-RHOSE-4.1:jenkins-2-plugins-0:4.1.1561471763-1.el7.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:1636"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L",
            "version": "3.0"
          },
          "products": [
            "7Server-RH7-RHOSE-4.1:jenkins-2-plugins-0:4.1.1561471763-1.el7.noarch",
            "7Server-RH7-RHOSE-4.1:jenkins-2-plugins-0:4.1.1561471763-1.el7.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jenkins-plugin-token-macro: XML External Entity processing the ${XML} macro"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.