RHEL 8 : jenkins and jenkins-2-plugins (RHSA-2023:3622)

2024-04-2800:00:00

www.tenable.com

rhel 8

jenkins

jenkins-2-plugins

vulnerabilities

rhsa-2023:3622

command injection

csrf

missing permission checks

uncontrolled resource consumption

uncontrolled recursion

security bypass

spring expression dos

temporary file parameter

information disclosure

7.4 High

AI Score

Confidence

Low

JSON

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3622 advisory.

maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)
Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)
Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)
json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)
Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2023:3622. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(194300);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/28");

  script_cve_id(
    "CVE-2022-29599",
    "CVE-2022-30953",
    "CVE-2022-30954",
    "CVE-2023-1370",
    "CVE-2023-1436",
    "CVE-2023-20860",
    "CVE-2023-20861",
    "CVE-2023-27903",
    "CVE-2023-27904"
  );
  script_xref(name:"RHSA", value:"2023:3622");

  script_name(english:"RHEL 8 : jenkins and jenkins-2-plugins (RHSA-2023:3622)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat host is missing one or more security updates for jenkins / jenkins-2-plugins.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as
referenced in the RHSA-2023:3622 advisory.

  - maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)

  - Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)

  - Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)

  - json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)
    (CVE-2023-1370)

  - jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)

  - springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)

  - springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)

  - Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)

  - Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/updates/classification/#important");
  # https://docs.openshift.com/container-platform/4.13/cicd/jenkins/important-changes-to-openshift-jenkins-images.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?83e5ee3c");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2066479");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2119646");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2119647");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2177632");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2177634");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2180528");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2180530");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2182788");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2188542");
  # https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_3622.json
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d629a5d7");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2023:3622");
  script_set_attribute(attribute:"solution", value:
"Update the RHEL jenkins / jenkins-2-plugins packages based on the guidance in RHSA-2023:3622.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-29599");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(77, 155, 200, 266, 352, 674, 770, 862);
  script_set_attribute(attribute:"vendor_severity", value:"Important");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/04/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/06/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/04/28");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jenkins");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jenkins-2-plugins");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'repo_relative_urls': [
      'content/dist/layered/rhel8/aarch64/ocp-tools/4.13/debug',
      'content/dist/layered/rhel8/aarch64/ocp-tools/4.13/os',
      'content/dist/layered/rhel8/aarch64/ocp-tools/4.13/source/SRPMS',
      'content/dist/layered/rhel8/ppc64le/ocp-tools/4.13/debug',
      'content/dist/layered/rhel8/ppc64le/ocp-tools/4.13/os',
      'content/dist/layered/rhel8/ppc64le/ocp-tools/4.13/source/SRPMS',
      'content/dist/layered/rhel8/s390x/ocp-tools/4.13/debug',
      'content/dist/layered/rhel8/s390x/ocp-tools/4.13/os',
      'content/dist/layered/rhel8/s390x/ocp-tools/4.13/source/SRPMS',
      'content/dist/layered/rhel8/x86_64/ocp-tools/4.13/debug',
      'content/dist/layered/rhel8/x86_64/ocp-tools/4.13/os',
      'content/dist/layered/rhel8/x86_64/ocp-tools/4.13/source/SRPMS'
    ],
    'pkgs': [
      {'reference':'jenkins-2-plugins-4.13.1686680473-1.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'cves':['CVE-2022-29599', 'CVE-2022-30953', 'CVE-2022-30954', 'CVE-2023-1436']},
      {'reference':'jenkins-2.401.1.1686680404-3.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'cves':['CVE-2023-1370', 'CVE-2023-20860', 'CVE-2023-20861', 'CVE-2023-27903', 'CVE-2023-27904']}
    ]
  }
];

var applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);
if(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);

var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];
  foreach var pkg ( constraint_array['pkgs'] ) {
    var reference = NULL;
    var _release = NULL;
    var sp = NULL;
    var _cpu = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var epoch = NULL;
    var allowmaj = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        _release &&
        rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&
        (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&
        rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  if (isnull(applicable_repo_urls) || !applicable_repo_urls) extra = rpm_report_get() + redhat_report_repo_caveat();
  else extra = rpm_report_get();
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : extra
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'jenkins / jenkins-2-plugins');
}

VendorProductVersionCPE
redhatenterprise_linux8cpe:/o:redhat:enterprise_linux:8
redhatenterprise_linuxjenkinsp-cpe:/a:redhat:enterprise_linux:jenkins
redhatenterprise_linuxjenkins-2-pluginsp-cpe:/a:redhat:enterprise_linux:jenkins-2-plugins

Vendor	Product	Version	CPE
redhat	enterprise_linux	8	cpe:/o:redhat:enterprise_linux:8
redhat	enterprise_linux	jenkins	p-cpe:/a:redhat:enterprise_linux:jenkins
redhat	enterprise_linux	jenkins-2-plugins	p-cpe:/a:redhat:enterprise_linux:jenkins-2-plugins