Stay Informed

This week, read about:

• FIPS Validation for AlmaLinux OS.
• Proactive Software Lifecycle Management for OSS.
• Terraform Fork OpenTF Renamed and Relocated as OpenTofu.
• UK Online Safety Bill To Become Law – and Encryption Busting Clause Is Still There.
• CVE-2023-42752

Key Security, Maintenance, and Features Releases

Security Based Updates

Jenkins 2.424 
Jenkins Security Advisory 2023-09-20 
This advisory announces vulnerabilities in the following Jenkins deliverables:

• Jenkins (core)
• Build Failure Analyzer Plugin

Descriptions: Builds can be filtered by values of sensitive build variables

SECURITY-3261 / CVE-2023-43494 
Severity (CVSS): Medium 
Description: 

• Jenkins allows filtering builds in the build history widget by specifying an expression that searches for matching builds by name, description, parameter values, etc.
• Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from this search.
• This allows attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.
• Jenkins 2.424, LTS 2.414.2 excludes sensitive variables from this search.
• Stored XSS vulnerability

SECURITY-3245 / CVE-2023-43495 
Severity (CVSS): High 
Description:

• ExpandableDetailsNote allows annotating build log content with additional information that can be revealed when interacted with.
• Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the caption constructor parameter of ExpandableDetailsNote.
• This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide caption parameter values.
• As of publication, the related API is not used within Jenkins (core), and the Jenkins security team is not aware of any affected plugins.
• Jenkins 2.424, LTS 2.414.2 escapes caption constructor parameter values.
• Temporary plugin file created with insecure permissions

SECURITY-3072 / CVE-2023-43496 
Severity (CVSS): High 
Description:

• Jenkins creates a temporary file when a plugin is deployed directly from a URL.
• Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates this temporary file in the system temporary directory with the default permissions for newly created files.
• If these permissions are overly permissive, they may allow attackers with access to the Jenkins controller file system to read and write the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.
• This vulnerability only affects operating systems using a shared temporary directory for all users (typically Linux). Additionally, the default permissions for newly created files generally only allow attackers to read the temporary file, but not write to it.
• Jenkins 2.424, LTS 2.414.2 creates the temporary file in a subdirectory with more restrictive permissions.
• As a workaround, you can change your default temporary-file directory using the Java system property java.io.tmpdir, if you’re concerned about this issue but unable to immediately update Jenkins.
• Temporary uploaded file created with insecure permissions

SECURITY-3073 / CVE-2023-43497 (Stapler), CVE-2023-43498 (MultipartFormDataParser) 
Severity (CVSS): Low 
Description:

• In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, uploaded files processed via the Stapler web framework and the Jenkins API MultipartFormDataParser create temporary files in the system temporary directory with the default permissions for newly created files.
• If these permissions are overly permissive, attackers with access to the system temporary directory may be able to read and write the file before it is used.
• This vulnerability only affects operating systems using a shared temporary directory for all users (typically Linux). Additionally, the default permissions for newly created files generally only allow attackers to read the temporary file, but not write to it.
• Jenkins 2.424, LTS 2.414.2 creates the temporary files in a subdirectory with more restrictive permissions.
• As a workaround, you can change your default temporary-file directory using the Java system property java.io.tmpdir, if you’re concerned about this issue but unable to immediately update Jenkins.
• Stored XSS vulnerability in Build Failure Analyzer Plugin

SECURITY-3244 / CVE-2023-43499 
Severity (CVSS): High 
Affected plugin: build-failure-analyzer 
Description:

• Build Failure Analyzer Plugin 2.4.1 and earlier does not escape Failure Cause names in build logs.
• This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or update Failure Causes.
• Build Failure Analyzer Plugin 2.4.2 escapes Failure Cause names in build logs.
• CSRF vulnerability and missing permission check in Build Failure Analyzer Plugin allow SSRF

SECURITY-3226 / CVE-2023-43500 (CSRF), CVE-2023-43501 (missing permission check) 
Severity (CVSS): Medium 
Affected plugin: build-failure-analyzer 
Description:

• Build Failure Analyzer Plugin 2.4.1 and earlier does not perform a permission check in a connection test HTTP endpoint.
• This allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password.
• Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
• Build Failure Analyzer Plugin 2.4.2 requires POST requests and Overall/Administer permission for the affected HTTP endpoint.
• CSRF vulnerability in Build Failure Analyzer Plugin allows deleting Failure Causes

SECURITY-3239 / CVE-2023-43502 
Severity (CVSS): Medium 
Affected plugin: build-failure-analyzer 
Description:

• Build Failure Analyzer Plugin 2.4.1 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
• This vulnerability allows attackers to delete Failure Causes.
• Build Failure Analyzer Plugin 2.4.2 requires POST requests for the affected HTTP endpoint.

Severity

• SECURITY-3072: High
• SECURITY-3073: Low
• SECURITY-3226: Medium
• SECURITY-3239: Medium
• SECURITY-3244: High
• SECURITY-3245: High
• SECURITY-3261: Medium

Affected Versions

• Jenkins weekly up to and including 2.423
• Jenkins LTS up to and including 2.414.1
• Build Failure Analyzer Plugin up to and including 2.4.1

Fix

• Jenkins weekly should be updated to version 2.424
• Jenkins LTS should be updated to version 2.414.2
• Build Failure Analyzer Plugin should be updated to version 2.4.2

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Gitlab 16.3.4 
Recommended Action

• We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. For versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4, see the mitigations offered below.
• When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.

Table of Fixes: 
Title: Attacker can abuse scan execution policies to run pipeline as another user. 
Severity: Critical

• Attacker can abuse scan execution policies to run pipelines as another user
• An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.2.7 and all versions starting from 16.3 before 16.3.4. It was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies. This was a bypass of CVE-2023-3932 showing additional impact. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, 9.6). It is now mitigated in the latest release and is assigned CVE-2023-5009.

Mitigations for Impacted Versions: 
Instances running versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4 are vulnerable if both of the features below are enabled at the same time. In order to mitigate this vulnerability in situations where it's not possible to upgrade, it is required to disable one or both features.

• Direct transfers
• Security policies

If both features are turned on, the instance is in a vulnerable state.

Non-Security Based Updates

Docker compose 2.22.0 
Upgrade Notes

• watch command is now GA and can be directly used from the root command docker compose watch

Features

• Experimental support of publish command (#10949)
• watch now build and launch the project at start (#10957)
• Add policy option to the --pull flag (#10981)

Fixes

• Fix various race/deadlock conditions for up command on exit (#10934)
• Fix for multi-plaform issues on build (#10956)
• Enable services explicitly requested even if their profiles aren't activated (#10952)
• Fix config bug when declared env_file are missing (#11025)

Internal 

• Pass BuildOptions to up and run commands (#10956)
• Upgrade to compose-go@v1.19.0

What's Changed

• pkg/api: replace uuid for basic random id by @thaJeztah in #10953
• up: fix various race/deadlock conditions on exit by @milas in #10934
• build: pass BuildOptions around explicitly & fix multi-platform issues by @milas in #10956
• Enable service explicitly requested to be restarted by @ndeloof in #10952
• migrate to github.com/distribution/reference by @thaJeztah in #10954
• doc: updated README.md to remove broken link by @kumarlokesh in #10966
• introduce publish (alpha) command by @ndeloof in #10949
• watch: build & launch the project at start by @milas in #10957
• OTEL: adding flags to cli traces by @rvigus in #10974
• cli: fix --build flag for create by @milas in #10982
• deps: upgrade Moby to v24.0.6 and gRPC to v1.58.0 by @milas in #10991
• ci: tweak restricted imports in linter by @milas in #10992
• add scale command by @glours in #10979
• update to go1.21.1 by @thaJeztah in #11000
• don't rely on depends_on to resolve volume_from, better use observed state by @ndeloof in #10999
• introduce pull --policy flag to only pull images not present in cache by @ndeloof in #10981
• build(deps): bump github.com/containerd/containerd from 1.7.3 to 1.7.6 by @dependabot in #11016
• build(deps): bump google.golang.org/grpc from 1.58.0 to 1.58.1 by @dependabot in #11019
• build(deps): bump gotest.tools/v3 from 3.5.0 to 3.5.1 by @dependabot in #11020
• build(deps): bump github.com/moby/buildkit from 0.12.1 to 0.12.2 by @dependabot in #11017
• build(deps): bump github.com/opencontainers/image-spec from 1.1.0-rc4 to 1.1.0-rc5 by @dependabot in #11027
• use official develop section to configure watch command by @ndeloof in #11026
• implement publish by @ndeloof in #11008
• TestWatch to use new develop section by @ndeloof in #11031
• remove --timeout=0 flag to cleanup function of watch e2e test by @glours in #11023
• move watch from alpha to main command by @glours in #11021
• config --xx don't need env_file being parsed by @ndeloof in #11025

Kibana 8.10.2 
Bug Fixes
Fleet:
Fixes force delete package, updated used by agents check (#166623). 
Management: 
Fixes showing Received partial message instead of results when there are some remote shard errors in a cross-cluster search (#166544).

RabbitMQ 3.12.6 
Core Server 
Bug Fixes: 
3.12.5 unintentionally shipped with a seshat version older than 0.6.1. This can potentially result in an incompatibility with the stream subsystem. 
Enhancements: 
Improved forward compatibility of classic queues with 3.13.

Spring Boot 3.1.4 
Bug Fixes:

• When SLF4J and Logback are initialized on multiple threads in parallel, startup may fail due to SubstituteLoggerFactory being considered to be a competing LoggerFactory implementation
• Saml2RelyingPartyAutoConfiguration ignores sign-request when metadata-url is used
• Leaking file descriptor / socket within DomainSocket tooling
• Invalid Accept header produces HTTP 500 in WelcomePageHandlerMapping
• PrivateKeyParser doesn't support ed448, XDH and RSA-PSS keys
• "languageVersion is final and cannot be changed" when using Gradle 8.3 and configuring the Java toolchain's language version
• AOT processing fails when a @ConfigurationProperties-annotated record has multiple constructors
• Spring Boot dependency management not working for ehcache when using Gradle and the dependency management plugin
• SslStoreBundle implementations aren't immutable
• Parsing OCI image names that are invalid due to the use of upper case letters is very slow
• Producing and consuming different tracing propagation formats doesn't work
• Using https with elliptic curves other than secp384r1 fails
• In 3.0.x and later, Spring Security cannot be used to secure a WebSocket upgrade request when using Jetty
• Local baggage is propagated when using Brave and W3C
• ServiceConnectionContextCustomizer can trigger docker usage during AOT processing #
• java.lang.OutOfMemoryError: Metaspace when repeatedly deploying and undeploying a Spring Boot web application multiple times in Tomcat
• Property 'logging.threshold.console' not working #