Bug 1795930

Summary: CVE-2019-11358 atomic-openshift-web-console: js-jquery: Web console vulnerable to CVE-2019-11358 (moderate d impact) [openshift-enterprise-3.11.z]
Product: OpenShift Container Platform Reporter: Sergio G. <sgarciam>
Component: Management ConsoleAssignee: Robb Hamilton <rhamilto>
Status: CLOSED ERRATA QA Contact: Yadan Pei <yapei>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.11.0CC: aos-bugs, bpeterse, hasha, jokerman, rhamilto, sfowler, spadgett, yuxzhu
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: The version of jQuery used in the web console contains a security vulnerability. Consequence: See https://nvd.nist.gov/vuln/detail/CVE-2019-11358 Fix: Upgrade jQuery to a new, patched version that fixes the vulnerability. Result: The management console now uses a patched version of jQuery and no longer includes the vulnerability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-19 19:53:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1701972    

Description Sergio G. 2020-01-29 09:28:14 UTC 
Description of problem:
A security scan reports that web console in 3.11 contains a vendor.js bundle with jQuery 3.2.1, vulnerable to CVE-2019-11358.

Additional info:
- https://nvd.nist.gov/vuln/detail/CVE-2019-11358
- Some projects were updated on 2019 to fix this CVE, but OpenShift wasn't one of them: https://access.redhat.com/security/cve/CVE-2019-11358
Comment 4 shahan 2020-02-04 05:17:55 UTC 
Get the version of jquery in console dev tools:

$().jquery
"3.4.0"

Or

jQuery().jquery
"3.4.0"
from https://access.redhat.com/security/cve/CVE-2019-11358,  the jquery vulnerable should be fixed in 3.4.0

verified on:
OpenShift Master: v3.11.169
Kubernetes Master: v1.11.0+d4cacc0
OpenShift Web Console: v3.11.169
Comment 6 errata-xmlrpc 2020-02-19 19:53:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0402
Comment 7 Sam Fowler 2020-04-15 04:10:56 UTC 
In future, please contact Product Security <secalert> before filing bugs or working on fixes for CVEs.

In this case, this fix was released to customers without Product Security's involvement which means that it was undocumented. There was no RHSA, no published scanning data, no CVE page entry. Undocumented security fixes are a High level exception under ProdSec policy:

https://docs.engineering.redhat.com/pages/viewpage.action?pageId=74060126

I have linked the RHBA with this CVE as a bandaid solution, but we can't convert RHBAs to RHSAs after they have released.

For OpenShift, this document has info for working on CVE fixes:

https://mojo.redhat.com/docs/DOC-1194006

A possible reason why there wasn't earlier OpenShift bugs for this CVE is likely that the OpenShift web console does not provide a manifest of its vendored JS dependencies to Product Security. Maintainers can provide manifests by following this doc:

https://mojo.redhat.com/docs/DOC-1195158