Detections
Analytics

RHEL 8 : OpenShift Container Platform 4.10.51 (RHSA-2023:0560)

critical Nessus Plugin ID 194208

Language:

Synopsis

The remote Red Hat host is missing one or more security updates for OpenShift Container Platform 4.10.51.

Description

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:0560 advisory.

 Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

 Security Fix(es):

 * jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43401)
 * jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline:
 Groovy Plugin (CVE-2022-43402)
 * jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43403)
 * jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43404)
 * jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin (CVE-2022-43405)
 * jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)
 * google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization (CVE-2020-7692)
 * snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
 * jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin (CVE-2022-43407)
 * mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
 * jenkins-plugin/script-security: Whole-script approval in Script Security Plugin vulnerable to SHA-1 collisions (CVE-2022-45379)
 * jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2022-45380)
 * jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability in Pipeline Utility Steps Plugin (CVE-2022-45381)
 * Jenkins plugin: CSRF vulnerability in Script Security Plugin (CVE-2022-30946)
 * Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)
 * Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)
 * Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)
 * jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git (CVE-2022-36882)
 * jenkins plugin: Lack of authentication mechanism in Git Plugin webhook (CVE-2022-36883)
 * jenkins plugin: Lack of authentication mechanism in Git Plugin webhook (CVE-2022-36884)
 * jenkins plugin: Non-constant time webhook signature comparison in GitHub Plugin (CVE-2022-36885)
 * jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin (CVE-2022-43408)
 * jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline:
 Supporting APIs Plugin (CVE-2022-43409)

 For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the RHEL OpenShift Container Platform 4.10.51 package based on the guidance in RHSA-2023:0560.

See Also

https://access.redhat.com/security/updates/classification/#critical

https://bugzilla.redhat.com/show_bug.cgi?id=1856376

https://bugzilla.redhat.com/show_bug.cgi?id=2116840

https://bugzilla.redhat.com/show_bug.cgi?id=2119643

https://bugzilla.redhat.com/show_bug.cgi?id=2119645

https://bugzilla.redhat.com/show_bug.cgi?id=2119646

https://bugzilla.redhat.com/show_bug.cgi?id=2119647

https://bugzilla.redhat.com/show_bug.cgi?id=2119656

https://bugzilla.redhat.com/show_bug.cgi?id=2119657

https://bugzilla.redhat.com/show_bug.cgi?id=2119658

https://bugzilla.redhat.com/show_bug.cgi?id=2126789

https://bugzilla.redhat.com/show_bug.cgi?id=2136370

https://bugzilla.redhat.com/show_bug.cgi?id=2136374

https://bugzilla.redhat.com/show_bug.cgi?id=2136379

https://bugzilla.redhat.com/show_bug.cgi?id=2136381

https://bugzilla.redhat.com/show_bug.cgi?id=2136382

https://bugzilla.redhat.com/show_bug.cgi?id=2136383

https://bugzilla.redhat.com/show_bug.cgi?id=2136386

https://bugzilla.redhat.com/show_bug.cgi?id=2136388

https://bugzilla.redhat.com/show_bug.cgi?id=2136391

https://bugzilla.redhat.com/show_bug.cgi?id=2143086

https://bugzilla.redhat.com/show_bug.cgi?id=2143089

https://bugzilla.redhat.com/show_bug.cgi?id=2143090

https://bugzilla.redhat.com/show_bug.cgi?id=2145194

http://www.nessus.org/u?ab4c65ac

https://access.redhat.com/errata/RHSA-2023:0560

Plugin Details

Severity: Critical

ID: 194208

File Name: redhat-RHSA-2023-0560.nasl

Version: 1.1

Type: local

Agent: unix

Published: 4/28/2024

Updated: 11/7/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2020-7692

CVSS v3

Risk Factor: Critical

Base Score: 9.9

Temporal Score: 8.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2022-43406

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:jenkins-2-plugins, cpe:/o:redhat:enterprise_linux:8

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/8/2023

Vulnerability Publication Date: 7/9/2020

Reference Information

CVE: CVE-2020-7692, CVE-2022-25857, CVE-2022-30946, CVE-2022-30952, CVE-2022-30953, CVE-2022-30954, CVE-2022-36882, CVE-2022-36883, CVE-2022-36884, CVE-2022-36885, CVE-2022-43401, CVE-2022-43402, CVE-2022-43403, CVE-2022-43404, CVE-2022-43405, CVE-2022-43406, CVE-2022-43407, CVE-2022-43408, CVE-2022-43409, CVE-2022-45047, CVE-2022-45379, CVE-2022-45380, CVE-2022-45381

CWE: 200, 208, 22, 328, 352, 358, 400, 502, 668, 693, 79, 838, 862

RHSA: 2023:0560