Bug 1952146 (CVE-2021-21642)

Summary: CVE-2021-21642 jenkins-2-plugins/config-file-provider: Does not configure its XML parser to prevent XML external entity (XXE) attacks.
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abenaiss, aos-bugs, bmontgom, eparis, jburrell, jokerman, nstielau, pbhattac, sponnaga, vbobade
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: config-file-provider 3.7.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the config-file-provider Jenkins plugin. The plugin XML parser wasn't configure to prevent XML external entity (XXE) attacks. An attacker with the ability to define Maven configuration files can use this vulnerability to prepare a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-01 05:32:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1952560, 1952561, 1952562, 1952563, 1952564    
Bug Blocks: 1952147    

Description Michael Kaplan 2021-04-21 15:36:55 UTC 
Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Comment 1 Michael Kaplan 2021-04-21 15:37:35 UTC 
External References:

https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2204
Comment 2 Przemyslaw Roguski 2021-04-22 13:50:52 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 5 errata-xmlrpc 2021-06-01 04:09:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:2122 https://access.redhat.com/errata/RHSA-2021:2122
Comment 6 Product Security DevOps Team 2021-06-01 05:32:01 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-21642
Comment 8 errata-xmlrpc 2021-06-30 15:45:39 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2021:2517 https://access.redhat.com/errata/RHSA-2021:2517
Comment 9 errata-xmlrpc 2021-07-02 00:18:26 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2021:2431 https://access.redhat.com/errata/RHSA-2021:2431