Users with the Overall/RunScripts permission (typically administrators) were able to use the Jenkins script console to craft a 'Remember me' cookie that would never expire. This allowed attackers access to a Jenkins instance while the corresponding user in the configured security realm exists, for example to persist access after another successful attack.
Created jenkins tracking bugs for this issue: Affects: fedora-28 [bug 1668346]
External References: https://jenkins.io/security/advisory/2019-01-16/
Created jenkins tracking bugs for this issue: Affects: fedora-all [bug 1668446]
The v3.11 image has already been released with 2.150.2. Customers should look for: registry.access.redhat.com/openshift3/jenkins-2-rhel7 v3.11 19080d270283 2 weeks ago 1.42GB and the 4.0 image is shipping with 2.150.2 Per strategy for jenkins security advisories, we are only updating 3.11.x and 4.x. Instructions for how older 3.x clusters can use the 3.11.x image are at https://github.com/openshift/jenkins#jenkins-security-advisories-the-master-image-from-this-repository-and-the-oc-binary
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHBA-2019:0326 https://access.redhat.com/errata/RHBA-2019:0326