When using an external security realm such as LDAP or Active Directory, deleting a user from the security realm does not result in the user losing access to Jenkins. While deleting the user record from Jenkins did invalidate the 'Remember me' cookie, there was no way to invalidate active sessions besides restarting Jenkins or terminating sessions through other means, such as Monitoring Plugin. Jenkins now encodes a per-user seed value in sessions, 'Remember me' cookies, and cached authentications of the remoting-based CLI, that can manually be reset by a user themselves, or an administrator, on the user’s configuration page. Doing so will invalidate all current sessions, 'Remember me' cookies, and cached CLI authentications, requiring credentials to be entered again to authenticate. Deleting a user record in Jenkins will now also invalidate existing sessions, as the current seed value is deleted as well.
External References: https://jenkins.io/security/advisory/2019-01-16/
Created jenkins tracking bugs for this issue: Affects: fedora-all [bug 1668446]
The v3.11 image has already been released with 2.150.2. Customers should look for: registry.access.redhat.com/openshift3/jenkins-2-rhel7 v3.11 19080d270283 2 weeks ago 1.42GB and the 4.0 image is shipping with 2.150.2 Per strategy for jenkins security advisories, we are only updating 3.11.x and 4.x. Instructions for how older 3.x clusters can use the 3.11.x image are at https://github.com/openshift/jenkins#jenkins-security-advisories-the-master-image-from-this-repository-and-the-oc-binary
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHBA-2019:0326 https://access.redhat.com/errata/RHBA-2019:0326