Bug 1795930 - CVE-2019-11358 atomic-openshift-web-console: js-jquery: Web console vulnerable to CVE-2019-11358 (moderate d impact) [openshift-enterprise-3.11.z]
Summary: CVE-2019-11358 atomic-openshift-web-console: js-jquery: Web console vulnerabl...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 3.11.z
Assignee: Robb Hamilton
QA Contact: Yadan Pei
URL:
Whiteboard:
Depends On:
Blocks: CVE-2019-11358
TreeView+ depends on / blocked
 
Reported: 2020-01-29 09:28 UTC by Sergio G.
Modified: 2020-04-15 04:15 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The version of jQuery used in the web console contains a security vulnerability. Consequence: See https://nvd.nist.gov/vuln/detail/CVE-2019-11358 Fix: Upgrade jQuery to a new, patched version that fixes the vulnerability. Result: The management console now uses a patched version of jQuery and no longer includes the vulnerability.
Clone Of:
Environment:
Last Closed: 2020-02-19 19:53:43 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:0402 0 None None None 2020-02-19 19:54:02 UTC

Description Sergio G. 2020-01-29 09:28:14 UTC
Description of problem:
A security scan reports that web console in 3.11 contains a vendor.js bundle with jQuery 3.2.1, vulnerable to CVE-2019-11358.

Additional info:
- https://nvd.nist.gov/vuln/detail/CVE-2019-11358
- Some projects were updated on 2019 to fix this CVE, but OpenShift wasn't one of them: https://access.redhat.com/security/cve/CVE-2019-11358

Comment 4 shahan 2020-02-04 05:17:55 UTC
Get the version of jquery in console dev tools:

$().jquery
"3.4.0"

Or

jQuery().jquery
"3.4.0"
from https://access.redhat.com/security/cve/CVE-2019-11358,  the jquery vulnerable should be fixed in 3.4.0

verified on:
OpenShift Master: v3.11.169
Kubernetes Master: v1.11.0+d4cacc0
OpenShift Web Console: v3.11.169

Comment 6 errata-xmlrpc 2020-02-19 19:53:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0402

Comment 7 Sam Fowler 2020-04-15 04:10:56 UTC
In future, please contact Product Security <secalert@redhat.com> before filing bugs or working on fixes for CVEs.

In this case, this fix was released to customers without Product Security's involvement which means that it was undocumented. There was no RHSA, no published scanning data, no CVE page entry. Undocumented security fixes are a High level exception under ProdSec policy:

https://docs.engineering.redhat.com/pages/viewpage.action?pageId=74060126

I have linked the RHBA with this CVE as a bandaid solution, but we can't convert RHBAs to RHSAs after they have released.

For OpenShift, this document has info for working on CVE fixes:

https://mojo.redhat.com/docs/DOC-1194006

A possible reason why there wasn't earlier OpenShift bugs for this CVE is likely that the OpenShift web console does not provide a manifest of its vendored JS dependencies to Product Security. Maintainers can provide manifests by following this doc:

https://mojo.redhat.com/docs/DOC-1195158


Note You need to log in before you can comment on or make changes to this bug.