While the Jenkins update site data is digitally signed, and the signature verified by Jenkins, Jenkins did not verify the provided SHA-1 checksums for the plugin files referenced in the update site data. This enabled MITM attacks on the plugin manager, resulting in installation of attacker-provided plugins. This could allow attackers able to manipulate the network path between Jenkins and the update site to install and run arbitrary code on Jenkins. External References: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09
Created jenkins tracking bugs for this issue: Affects: fedora-all [bug 1291799]
This issue has been addressed in the following products: RHEL 7 Version of OpenShift Enterprise 3.1 Via RHSA-2016:0070 https://access.redhat.com/errata/RHSA-2016:0070
This issue has been addressed in the following products: Red Hat OpenShift Enterprise 2.2 Via RHSA-2016:0489 https://rhn.redhat.com/errata/RHSA-2016-0489.html