The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3625 advisory.
XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable. (CVE-2022-41966)
Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using ** as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass. (CVE-2023-20860)
Jenkins Pipeline: Job Plugin does not escape the display name of the build that caused an earlier build to be aborted, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set build display names immediately. (CVE-2023-32977)
Jenkins Email Extension Plugin does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files in the email-templates/ directory in the Jenkins home directory on the controller file system. (CVE-2023-32979)
A cross-site request forgery (CSRF) vulnerability in Jenkins Email Extension Plugin allows attackers to make another user stop watching an attacker-specified job. (CVE-2023-32980)
An arbitrary file write vulnerability in Jenkins Pipeline Utility Steps Plugin 2.15.2 and earlier allows attackers able to provide crafted archives as parameters to create or replace arbitrary files on the agent file system with attacker-specified content. (CVE-2023-32981)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2023:3625. The text
# itself is copyright (C) Red Hat, Inc.
##
include('compat.inc');
if (description)
{
script_id(189419);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/24");
script_cve_id(
"CVE-2022-41966",
"CVE-2023-20860",
"CVE-2023-32977",
"CVE-2023-32979",
"CVE-2023-32980",
"CVE-2023-32981"
);
script_xref(name:"RHSA", value:"2023:3625");
script_name(english:"RHCOS 4 : OpenShift Container Platform 4.10.62 (RHSA-2023:3625)");
script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat CoreOS host is missing one or more security updates for OpenShift Container Platform 4.10.62.");
script_set_attribute(attribute:"description", value:
"The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities
as referenced in the RHSA-2023:3625 advisory.
- XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote
attacker to terminate the application with a stack overflow error, resulting in a denial of service only
via manipulation the processed input stream. The attack uses the hash code implementation for collections
and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version
1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential
workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or
set, is to change the default implementation of java.util.Map and java.util per the code example in the
referenced advisory. However, this implies that your application does not care about the implementation of
the map and all elements are comparable. (CVE-2022-41966)
- Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using ** as a pattern in Spring
Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring
Security and Spring MVC, and the potential for a security bypass. (CVE-2023-20860)
- Jenkins Pipeline: Job Plugin does not escape the display name of the build that caused an earlier build to
be aborted, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able
to set build display names immediately. (CVE-2023-32977)
- Jenkins Email Extension Plugin does not perform a permission check in a method implementing form
validation, allowing attackers with Overall/Read permission to check for the existence of files in the
email-templates/ directory in the Jenkins home directory on the controller file system. (CVE-2023-32979)
- A cross-site request forgery (CSRF) vulnerability in Jenkins Email Extension Plugin allows attackers to
make another user stop watching an attacker-specified job. (CVE-2023-32980)
- An arbitrary file write vulnerability in Jenkins Pipeline Utility Steps Plugin 2.15.2 and earlier allows
attackers able to provide crafted archives as parameters to create or replace arbitrary files on the agent
file system with attacker-specified content. (CVE-2023-32981)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2022-41966");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-20860");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-32977");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-32979");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-32980");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2023-32981");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2023:3625");
script_set_attribute(attribute:"solution", value:
"Update the RHCOS OpenShift Container Platform 4.10.62 package based on the guidance in RHSA-2023:3625.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-32981");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(79, 120, 121, 155, 266, 352, 502);
script_set_attribute(attribute:"vendor_severity", value:"Important");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/12/24");
script_set_attribute(attribute:"patch_publication_date", value:"2023/06/23");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/01/24");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8:coreos");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jenkins");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jenkins-2-plugins");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Red Hat Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
include('rhel.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat CoreOS');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'eq', os_version: os_ver, rhel_version: '4.10')) audit(AUDIT_OS_NOT, 'Red Hat CoreOS 4.10', 'Red Hat CoreOS ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat CoreOS', cpu);
var pkgs = [
{'reference':'jenkins-2-plugins-4.10.1685679861-1.el8', 'release':'4', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift-hyperkube'},
{'reference':'jenkins-2.401.1.1685677065-1.el8', 'release':'4', 'el_string':'el8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift-hyperkube'}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = 'RHCOS' + package_array['release'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (reference &&
_release &&
(!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'jenkins / jenkins-2-plugins');
}
Vendor | Product | Version | CPE |
---|---|---|---|
redhat | enterprise_linux | jenkins | p-cpe:/a:redhat:enterprise_linux:jenkins |
redhat | enterprise_linux | jenkins-2-plugins | p-cpe:/a:redhat:enterprise_linux:jenkins-2-plugins |
redhat | enterprise_linux | 8 | cpe:/o:redhat:enterprise_linux:8:coreos |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41966
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20860
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32977
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32979
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32980
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32981
access.redhat.com/errata/RHSA-2023:3625
access.redhat.com/security/cve/CVE-2022-41966
access.redhat.com/security/cve/CVE-2023-20860
access.redhat.com/security/cve/CVE-2023-32977
access.redhat.com/security/cve/CVE-2023-32979
access.redhat.com/security/cve/CVE-2023-32980
access.redhat.com/security/cve/CVE-2023-32981