Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2674 Jenkins Security Advisory 2019-07-17 18 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Jenkins Publisher: Jenkins Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Create Arbitrary Files -- Existing Account Cross-site Request Forgery -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-10352 CVE-2019-10353 CVE-2019-10354 Original Bulletin: https://jenkins.io/security/advisory/2019-07-17/ - --------------------------BEGIN INCLUDED TEXT-------------------- Jenkins Security Advisory 2019-07-17 This advisory announces vulnerabilities in the following Jenkins deliverables: * Jenkins (core) Descriptions Arbitrary file write vulnerability using file parameter definitions SECURITY-1424 / CVE-2019-10352 Users with Job/Configure permission could specify a relative path escaping the base directory in the file name portion of a file parameter definition. This path would be used to store the uploaded file on the Jenkins master, resulting in an arbitrary file write vulnerability. File parameters that escape the base directory are no longer accepted and the build will fail. This vulnerability is the result of an incomplete fix for SECURITY-1074. CSRF protection tokens did not expire SECURITY-626 / CVE-2019-10353 By default, CSRF tokens in Jenkins only checked user authentication and IP address. This allowed attackers able to obtain a CSRF token for another user to implement CSRF attacks as long as the victim's IP address remained unchanged. CSRF tokens will now also check the web session ID to confirm they were created in the same session. Once that's invalidated or expired, corresponding CSRF tokens will become invalid as well. This fix may impact scripts that obtain a crumb from the crumb issuer Note API. They may need to be updated to retain the session ID for subsequent requests. For further information, see the LTS upgrade guide. We also publish the Strict Crumb Issuer Plugin which contains additional protection mechanisms that give administrators more fine-grained control over the validity of CSRF tokens. We plan to improve the built-in default crumb issuer based on user feedback of this implementation. Unauthorized view fragment access SECURITY-534 / CVE-2019-10354 Jenkins uses the Stapler web framework to render its UI views. These views are frequently comprised of several view fragments, enabling plugins to extend existing views with more content. In some cases attackers could directly access a view fragment containing sensitive information, bypassing any permission checks in the corresponding view. The Stapler web framework has been extended with a Service Provider Interface (SPI) that allows preventing views from being rendered. The implementation of that SPI in Jenkins now prevents view fragments from being rendered. Further details are available in the developer documentation. Most views in Jenkins and Jenkins plugins should be compatible with this change. We track known affected plugins and their status in the Jenkins wiki. In rare cases, it may be desirable to disable this fix. To do so, set the Java system property jenkins.security.stapler.StaplerDispatchValidator.disabled to true. Learn more about system properties in Jenkins. Severity * SECURITY-534: Medium * SECURITY-626: High * SECURITY-1424: Medium Affected Versions * Jenkins weekly up to and including 2.185 * Jenkins LTS up to and including 2.176.1 Fix * Jenkins weekly should be updated to version 2.186 * Jenkins LTS should be updated to version 2.176.2 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: * Conor O'Neill of Tenable for SECURITY-1424 * Jesse Glick, CloudBees, Inc. for SECURITY-534 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXS/TiWaOgq3Tt24GAQj49xAAv2PG4Bu+KrrqoZGdp2m0uK1xEOyF4DOo rWJ0zGncU27j6FWyS3MajuileF1V7eV+9Ml5sD1TXw+vrOITzr1o/4wVpZJjAyyj B/cHvkO9uv7g2XscrVvmmUAlwMzZGEswPv0A06hW9uPySfDfseiWRYGvUkTf2RAY 20P0a5IiILN0S+s9Brls/zCWWUSHxfUqWcwT1a5mcZn9rx0FGvXLxNriWqrWJ3qi Kk7gJA9YD1SBWYlTmi30uDuotoPSPb34KEZPnbaFhdy6zlOx3IbxeO/rSteSS6M3 pzy42oQ+4u7vbhZHYORIlulJ665cMu6nR9qtEbXcT44qC3nwGAcwL4OncwTRkl5C XLMjt5cn6LlhXt9utI4NklQGknG4Op4iajBCva3bxzStJ/gCgzTTshQi/VTeMsAk Y3ZxwD/sB5QCnjRYL3byByPl+OeGxc62PyGQjhva55PrSL5/4aLnv34foL4ctLEP TGngsWwjpOsqxg+1Y5P+71XVtokLllJ4nbi0+yjmoKl1h44ngaHVMQfeT8ujBgDm Cw1tb3XW9Pl+GtuZhuF6gVJsLE3KjAQCFmeg0dpH5JJ7RxgLdYiliZvthx2ijioO SF/xVeqTM0r0rDB3rdqBbXkmxam/debiTsWi2npE1Fd9RhIn+xKyJW0+h/5CgXpc O3XQc/5qbj8= =kwVu -----END PGP SIGNATURE-----