Bug 1861842 - CVE-2020-2181 CVE-2020-2182 jenkins-2-plugins: jenkins-credentials-binding-plugin: various flaws [openshift-4]
Summary: CVE-2020-2181 CVE-2020-2182 jenkins-2-plugins: jenkins-credentials-binding-pl...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Jenkins
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.3.z
Assignee: Vibhav Bobade
QA Contact: Jitendar Singh
URL:
Whiteboard: component:jenkins-2-plugins
Depends On: 1861840
Blocks: CVE-2020-2181 CVE-2020-2182
TreeView+ depends on / blocked
 
Reported: 2020-07-29 17:24 UTC by Vibhav Bobade
Modified: 2020-10-20 15:51 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of: 1861840
Environment:
Last Closed: 2020-10-20 15:50:54 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift jenkins pull 1124 None closed [release-4.3] Bug 1861842: CVE-2020-2182 credentials-binding 1.23 2020-11-12 02:37:29 UTC
Red Hat Product Errata RHSA-2020:4265 None None None 2020-10-20 15:51:15 UTC

Description Vibhav Bobade 2020-07-29 17:24:55 UTC
+++ This bug was initially created as a clone of Bug #1861840 +++

+++ This bug was initially created as a clone of Bug #1852331 +++

+++ This bug was initially created as a clone of Bug #1848216 +++

openshift-4 tracking bug for jenkins-2-plugins: see the bugs linked in the "Blocks" field of this bug for full details of the security issue(s).

This bug is never intended to be made public, please put any public notes in the blocked bugs.

Impact: Moderate
Public Date: 06-May-2020
PM Fix/Wontfix Decision By: 16-Sep-2020
Resolve Bug By: 06-May-2021

In case the dates above are already past, please evaluate this bug in your next prioritization review and make a decision then. Remember to explicitly set CLOSED:WONTFIX if you decide not to fix this bug.

Please see the Security Errata Policy for further details: https://docs.engineering.redhat.com/x/9RBqB

--- Additional comment from Stephen Cuppett on 2020-06-18 18:30:40 UTC ---

Setting to target the z-stream. This isn't due prior to GA and is not a showstopper.

--- Additional comment from Jitendar Singh on 2020-06-25 05:44:41 UTC ---

 jsingh@localhost  ~/go/src/github.com/redhat-developer  oc get pods
NAME               READY   STATUS      RESTARTS   AGE
jenkins-1-build    0/1     Completed   0          11m
jenkins-1-deploy   0/1     Completed   0          2m15s
jenkins-1-pm4rl    1/1     Running     0          2m11s
 jsingh@localhost  ~/go/src/github.com/redhat-developer  oc rsh jenkins-1-pm4rl
sh-4.2$ cat /var/lib/jenkins/plugins/credentials-binding/META-INF/MANIFEST.MF |grep Implementation-Version
Implementation-Version: 1.23
sh-4.2$ exit
exit
=====================================================
VERIFIED

--- Additional comment from Yuxiang Zhu on 2020-07-27 08:33:52 UTC ---

It doesn't seem to me the latest jenkins-2-plugins-4.5.1595405982-1.el7 RPM include this fix. The linked PR is only for upstream okd build.
I think this bug should only be moved to MODIFIED once it is included in ART build.

Comment 7 Jitendar Singh 2020-10-13 10:53:04 UTC
 Just tested it with the latest nightly for 4.3 https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1341931 and it has the fix.
==================================================
jsingh@localhost  ~  oc new-app jenkins-ephemeral -p NAMESPACE=$(oc project -q) -p JENKINS_IMAGE_STREAM_TAG=jenkins-jitsingh:latest
--> Deploying template "openshift/jenkins-ephemeral" to project jenkins-test

     Jenkins (Ephemeral)
     ---------
     Jenkins service, without persistent storage.
     
     WARNING: Any data stored will be lost upon pod destruction. Only use this template for testing.

     A Jenkins service has been created in your project.  Log into Jenkins with your OpenShift account.  The tutorial at https://github.com/openshift/origin/blob/master/examples/jenkins/README.md contains more information about using this template.

     * With parameters:
        * Jenkins Service Name=jenkins
        * Jenkins JNLP Service Name=jenkins-jnlp
        * Enable OAuth in Jenkins=true
        * Memory Limit=1Gi
        * Jenkins ImageStream Namespace=jenkins-test
        * Disable memory intensive administrative monitors=false
        * Jenkins ImageStreamTag=jenkins-jitsingh:latest
        * Allows use of Jenkins Update Center repository with invalid SSL certificate=false

--> Creating resources ...
    route.route.openshift.io "jenkins" created
    deploymentconfig.apps.openshift.io "jenkins" created
    serviceaccount "jenkins" created
    rolebinding.authorization.openshift.io "jenkins_edit" created
    service "jenkins-jnlp" created
    service "jenkins" created
--> Success
    Access your application via route 'jenkins-jenkins-test.apps.sharedocp4upi43.lab.upshift.rdu2.redhat.com' 
    Run 'oc status' to view your app.
 jsingh@localhost  ~  oc get pods -w
NAME               READY   STATUS              RESTARTS   AGE
jenkins-1-deploy   0/1     ContainerCreating   0          5s
jenkins-1-deploy   0/1     ContainerCreating   0          12s
jenkins-1-26nhb    0/1     Pending             0          0s
jenkins-1-26nhb    0/1     Pending             0          0s
jenkins-1-26nhb    0/1     ContainerCreating   0          0s
jenkins-1-deploy   1/1     Running             0          19s
jenkins-1-26nhb    0/1     ContainerCreating   0          3s
jenkins-1-26nhb    0/1     ContainerCreating   0          11s
^C%                                                                                                                                                                                            ✘ jsingh@localhost  ~  oc rsh jenkins-1-26nhb
sh-4.2$ cat /var/lib/jenkins/plugins/credentials-binding/META-INF/MANIFEST.MF |grep Implementation-Version
Implementation-Version: 1.23
sh-4.2$ %                                                                                                                                                                                      jsingh@localhost  ~  oc new-app -f maven.yaml 
--> Deploying template "jenkins-test/maven-pipeline" for "maven.yaml" to project jenkins-test

     * With parameters:
        * Application Name=openshift-jee-sample
        * Source URL=https://github.com/openshift/openshift-jee-sample.git
        * Source Ref=master
        * GitHub Webhook Secret=MKY8cSSRpKqhD3IqGLeeLl0Fc7tO6F2BHV1QKklR # generated
        * Generic Webhook Secret=1LeK7kIEnm7XxBYlk3J7WtQs2Q7vPceSyFkd3Au1 # generated

--> Creating resources ...
    imagestream.image.openshift.io "openshift-jee-sample" created
    imagestream.image.openshift.io "wildfly" created
    buildconfig.build.openshift.io "openshift-jee-sample" created
    buildconfig.build.openshift.io "openshift-jee-sample-docker" created
    deploymentconfig.apps.openshift.io "openshift-jee-sample" created
    service "openshift-jee-sample" created
    route.route.openshift.io "openshift-jee-sample" created
--> Success
    Use 'oc start-build openshift-jee-sample' to start a build.
    Use 'oc start-build openshift-jee-sample-docker' to start a build.
    Access your application via route 'openshift-jee-sample-jenkins-test.apps.sharedocp4upi43.lab.upshift.rdu2.redhat.com' 
    Run 'oc status' to view your app.
 jsingh@localhost  ~  oc get routes
NAME                   HOST/PORT                                                                            PATH   SERVICES               PORT       TERMINATION     WILDCARD
jenkins                jenkins-jenkins-test.apps.sharedocp4upi43.lab.upshift.rdu2.redhat.com                       jenkins                <all>      edge/Redirect   None
openshift-jee-sample   openshift-jee-sample-jenkins-test.apps.sharedocp4upi43.lab.upshift.rdu2.redhat.com          openshift-jee-sample   8080-tcp                   None
 jsingh@localhost  ~  oc start-build openshift-jee-sample
build.build.openshift.io/openshift-jee-sample-1 started
 jsingh@localhost  ~  oc get pods -w
NAME               READY   STATUS              RESTARTS   AGE
jenkins-1-26nhb    1/1     Running             0          3m43s
jenkins-1-deploy   0/1     Completed           0          4m2s
maven-nlg1x        0/1     ContainerCreating   0          1s
maven-nlg1x        0/1     ContainerCreating   0          3s
maven-nlg1x        0/1     ContainerCreating   0          8s
maven-nlg1x        1/1     Running             0          30s
maven-nlg1x        1/1     Terminating         0          70s
maven-nlg1x        1/1     Terminating         0          71s
openshift-jee-sample-docker-1-build   0/1     Pending             0          0s
openshift-jee-sample-docker-1-build   0/1     Pending             0          0s
openshift-jee-sample-docker-1-build   0/1     Init:0/2            0          0s
maven-nlg1x                           0/1     Terminating         0          72s
maven-nlg1x                           0/1     Terminating         0          73s
maven-nlg1x                           0/1     Terminating         0          73s
openshift-jee-sample-docker-1-build   0/1     Init:0/2            0          2s
openshift-jee-sample-docker-1-build   0/1     Init:0/2            0          3s
openshift-jee-sample-docker-1-build   0/1     Init:1/2            0          4s
openshift-jee-sample-docker-1-build   0/1     PodInitializing     0          5s
openshift-jee-sample-docker-1-build   1/1     Running             0          6s
openshift-jee-sample-docker-1-build   0/1     Completed           0          55s
openshift-jee-sample-docker-1-build   0/1     Completed           0          55s
openshift-jee-sample-1-deploy         0/1     Pending             0          0s
openshift-jee-sample-1-deploy         0/1     Pending             0          0s
openshift-jee-sample-1-deploy         0/1     ContainerCreating   0          0s
openshift-jee-sample-1-deploy         0/1     ContainerCreating   0          2s
openshift-jee-sample-1-deploy         1/1     Running             0          3s
openshift-jee-sample-1-skc4k          0/1     Pending             0          0s
openshift-jee-sample-1-skc4k          0/1     Pending             0          0s
openshift-jee-sample-1-skc4k          0/1     ContainerCreating   0          0s
openshift-jee-sample-docker-1-build   0/1     Completed           0          59s
openshift-jee-sample-1-skc4k          0/1     ContainerCreating   0          3s
openshift-jee-sample-1-skc4k          0/1     ContainerCreating   0          11s
openshift-jee-sample-1-skc4k          0/1     Running             0          28s
openshift-jee-sample-1-skc4k          1/1     Running             0          64s
openshift-jee-sample-1-deploy         0/1     Completed           0          67s
openshift-jee-sample-1-deploy         0/1     Completed           0          67s
openshift-jee-sample-1-deploy         0/1     Completed           0          74s

Comment 8 Vibhav Bobade 2020-10-13 11:04:59 UTC
Moving to ON_QA considering the recent update on this

Comment 9 Jitendar Singh 2020-10-13 11:16:45 UTC
VERIFIED

Comment 12 errata-xmlrpc 2020-10-20 15:50:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.3.40 jenkins-2-plugins security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4265


Note You need to log in before you can comment on or make changes to this bug.