ESB-2017.2563 - [Win][UNIX/Linux] Jenkins: Multiple vulnerabilities 2017-10-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2563
                   Jenkins Security Advisory 2017-10-11
                              12 October 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Jenkins
Publisher:         Jenkins
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account      
                   Access Privileged Data          -- Existing Account      
                   Denial of Service               -- Remote/Unauthenticated
                   Provide Misleading Information  -- Remote/Unauthenticated
                   Unauthorised Access             -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-3092 CVE-2012-6153 

Reference:         ASB-2017.0119
                   ASB-2017.0116
                   ESB-2017.2415
                   ESB-2017.1595

Original Bulletin: 
   https://jenkins.io/security/advisory/2017-10-11/

- --------------------------BEGIN INCLUDED TEXT--------------------

Jenkins Security Advisory 2017-10-11

This advisory announces multiple vulnerabilities in Jenkins (weekly and LTS),
and these plugins:

Maven Plugin

Swarm Plugin Client

Speaks! Plugin

Description

Arbitrary shell command execution on master by users with Agent-related 
permissions

SECURITY-478 / CVE pending

Users with permission to create or configure agents in Jenkins could configure
a launch method called Launch agent via execution of command on master. This 
allowed them to run arbitrary shell commands on the master node whenever the 
agent was supposed to be launched.

Configuration of this launch method now requires the Run Scripts permission 
typically only granted to administrators.

A known limitation of this fix is that users without the Run Scripts 
permission are no longer able to configure agents with this launch method at 
all, even if the launch method remains unchanged.

A future release of Jenkins will move this launch method into a separate 
plugin. That plugin will depend on Script Security Plugin to secure this field
and restore the ability of users without the Run Scripts permission to 
configure an agent with this launch method.

Jenkins core bundled vulnerable version of the commons-fileupload library

SECURITY-490 / CVE pending

Jenkins bundled a version of the commons-fileupload library with the 
denial-of-service vulnerability known as CVE-2016-3092.

The fix for that vulnerability has been backported to the version of the 
library bundled with Jenkins.

"User" remote API disclosed users' email addresses

SECURITY-514 / CVE pending

Information about Jenkins user accounts is generally available to anyone with
Overall/Read permissions via the /user/(username)/api remote API. This 
included e.g. Jenkins users' email addresses if the Mailer Plugin is 
installed.

The remote API now no longer includes information beyond the most basic (user
ID and name) unless the user requesting it is a Jenkins administrator or the 
user themselves.

Jenkins core bundled vulnerable version of the commons-httpclient library

SECURITY-555 / CVE pending

Jenkins bundled a version of the commons-httpclient library with the 
vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making
it susceptible to man-in-the-middle attacks.

This library is widely used as a transitive dependency in Jenkins plugins.

The fix for CVE-2012-6153 was backported to the version of commons-httpclient
that is bundled in core and made available to plugins.

Maven Plugin bundled vulnerable version of the commons-httpclient library

SECURITY-557 / CVE pending

Maven Plugin bundled a version of the commons-httpclient library with the 
vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making
it susceptible to man-in-the-middle attacks.

Maven Plugin 3.0 no longer has a dependency on commons-httpclient.

Swarm Plugin Client bundled vulnerable version of the commons-httpclient 
library

SECURITY-597 / CVE pending

Swarm Plugin Client bundled a version of the commons-httpclient library with 
the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, 
making it susceptible to man-in-the-middle attacks.

The fix for CVE-2012-6153 was backported to the version of commons-httpclient
bundled in Swarm Plugin Client.

IMPORTANT: Please note that Swarm Plugin Client needs to be updated 
independently from the plugin. Updating just the plugin will not resolve the 
security vulnerability.

"Computer" remote API disclosed information about inaccessible jobs

SECURITY-611 / CVE pending

The remote API at /computer/(agent-name)/api showed information about tasks 
(typically builds) currently running on that agent. This included information
about tasks that the current user otherwise has no access to, e.g. due to lack
of Job/Read permission.

This has been fixed, and the API now only shows information about accessible 
tasks.

"Queue Item" remote API disclosed information about inaccessible jobs

SECURITY-618 / CVE pending

The remote API at /queue/item/(ID)/api showed information about tasks in the 
queue (typically builds waiting to start). This included information about 
tasks that the current user otherwise has no access to, e.g. due to lack of 
Job/Read permission.

This has been fixed, and the API endpoint is now only available for tasks that
the current user has access to.

"Job" remote API disclosed information about inaccessible upstream/downstream
jobs

SECURITY-617 / CVE pending

The remote API at /job/(job-name)/api contained information about upstream and
downstream projects. This included information about tasks that the current 
user otherwise has no access to, e.g. due to lack of Job/Read permission.

This has been fixed, and the API now only lists upstream and downstream 
projects that the current user has access to.

Form validation for password fields was sent via GET

SECURITY-616 / CVE pending

The Jenkins default form control for passwords and other secrets, 
<f:password/>, supports form validation (e.g. for API keys). The form 
validation AJAX requests were sent via GET, which could result in secrets 
being logged to a HTTP access log in non-default configurations of Jenkins, 
and made available to users with access to these log files.

Form validation for <f:password/> is now always sent via POST, with the 
password in the request body, which is typically not logged.

Arbitrary code execution vulnerability in Speaks! Plugin

SECURITY-623 / CVE pending

This plugin allows users with Job/Configure permission to run arbitrary Groovy
code inside the Jenkins JVM, effectively elevating privileges to Overall/Run 
Scripts.

As of publication of this advisory, there is no fix.

Severity

SECURITY-478: high

SECURITY-490: high

SECURITY-514: medium

SECURITY-555: medium

SECURITY-557: medium

SECURITY-597: medium

SECURITY-611: medium

SECURITY-616: low

SECURITY-617: medium

SECURITY-618: medium

SECURITY-623: high

Affected versions

Jenkins weekly up to and including 2.83

Jenkins LTS up to and including 2.73.1

Maven Plugin up to and including 2.17

All versions of Speaks! Plugin

Swarm Plugin (Client) up to and including 3.4

Fix

Jenkins weekly should be updated to 2.84

Jenkins LTS should be updated to 2.73.2

Maven Plugin should be updated to 3.0

Swarm Plugin (Client) should be updated to 3.5

These versions include fixes to the vulnerabilities described above. All prior
versions are affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, there is no fix available for Speaks! 
Plugin. Its distribution has been suspended.

Credit

The Jenkins project would like to thank the reporters for discovering and 
reporting these vulnerabilities:

Ben Walding, CloudBees, Inc. for SECURITY-616

Daniel Beck, CloudBees, Inc. for SECURITY-478, SECURITY-611, SECURITY-623

Jesse Glick, CloudBees, Inc. for SECURITY-617, SECURITY-618

Other Resources

Announcement blog post

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWd7WdIx+lLeg9Ub1AQh1vg//Rl4NHxa1PSzL5fhvRK0k8X/V2+UEt9+4
VHzjokcJNJlRv/fr4by4IpIQ5TchMPN9RS7ANFwwIqLEEqjSyCSL7aQ2YG648JoO
GBd4/ZVtx46Lzk5dyqpCqgwfw8qsAtSHD0qI/of9o/h1ewK6F1/AEaQIRFcn3lmZ
xud8aNAu6imqhaRBX/2yf140vGe1PWRWOctVaOFZMDBLjRQR00EwebKHhChzehVY
oCaJhu9egNyzKaL0bCPAcaUwDxAfBP3RinEtMMsftDmIGzpds08b+UW3azpl06+B
LYDNOgkB4DluJYgIkfOwRsJMSruBRXUcAPPJiQtYM0Ez5kaonuP7Wkm9Awppvgq3
81ILF5eQ3NSAXPgiWPzXSyuRVowS76XrVWuMAxccv2i6/sMQImXSOpxDimyu5bnr
+XITcLIRsBESWQrf7EJNra7rbxvkGjbDW+SAzAIf4NxpqI7KQDRQ4QsxqoFRa7U/
lAq5WJHaazpHiBLOd6n/PEnW39arlYnuZM8dOp8OiHxAf0wdeE7UETp8A+eMwS0W
xS85pmu/LAepFHlOr4HZV/h103XVhxNWq2wq+IQVvLa3UXziHS/QRP08AFOw848q
OBrThJJ8s8/xi5jBaNgSiXGlYbvvJ1rIeSp9LjH5V8H8SambAMfgzV7YWfPtb/za
qSSACz6+zAk=
=+0xl
-----END PGP SIGNATURE-----

« Back to bulletins