ESB-2017.3126 - [Win][UNIX/Linux] Jenkins: Execute arbitrary code/commands - Existing account 2017-12-07

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.3126
                   Jenkins Security Advisory 2017-12-06
                              7 December 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Jenkins
Publisher:         Jenkins
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Patch/Upgrade

Original Bulletin: 
   https://jenkins.io/security/advisory/2017-12-06/

- --------------------------BEGIN INCLUDED TEXT--------------------

Jenkins Security Advisory 2017-12-06

This advisory announces a vulnerability in this Jenkins plugin:

EC2

Description

Arbitrary shell command execution on master by users with Agent-related 
permissions in EC2 Plugin

SECURITY-643

Users with permission to create or configure agents in Jenkins could configure
an EC2 agent to run arbitrary shell commands on the master node whenever the 
agent was supposed to be launched.

Configuration of these agents now requires the Run Scripts permission 
typically only granted to administrators.

Severity

SECURITY-643: high

Affected versions

EC2 Plugin up to and including 1.37

Fix

EC2 Plugin should be updated to version 1.38

These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless 
otherwise indicated.

Credit

The Jenkins project would like to thank the reporter for discovering and 
reporting this vulnerability:

Jesse Glick, CloudBees Inc. for SECURITY-643

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWiiZpox+lLeg9Ub1AQgGNA//UMgBegqf77raqiJ574H0vsZlkVmVYs5u
K6jJ5OhdNkZm0+vFD2pFIQ9wKp/cC4l5c+mF0cousXGa7M2gUUCBp3j8q5RdHkQg
xMYaT/DD8CSz6Xwq2B5qiq43pJoqFN08gbo+AmqcOYYE92eKoyhYLPEan/eN0VAt
l3i/CrOME4g4S3n3nPL91MLI1IECaMh+jSVVyEPFpYEAukh0p6UH9jmRkMncQoTy
pOI6NdPclLlwPUAL7BGAtvElIFVs1R4QP6k5avD+xoi4I8W6qOoX55xCdx4lDquK
7tBdAd9cF8ZRQu2QiERC7ql3oiLBqI6HpCduFMmbFDKP/Mku3qCj9/wivlc8IUkY
D43xhZea0hR4EaxSaOaYJovmViqJEzhxBYY/k3vW2n9PZFiZJCC5wfegtosfy3yL
stsFbB8Tm6NW5N5CguGMBOQPDAhlXKES1yxbJG6V+5bDsNd50FE6GLR2swAEWiE9
VsJkF8Nx9VgwrFBqGplMd6q1SqPLMqXstt+iZ423hdvTAFgmKar3SUqyeVng2iED
PW5L/WUtm48FSr+/L7CsLkSu22MyCXBczGCARhwvO9D7hY7OpFPnk8a/RPC5Kw8D
6r7Bm3kQPcqdAVfluhSYK0oQnul1eFKYVBvMbPLK/P20JZytqCx8HWo+nD++GC6y
ux5ZYajUZU4=
=E6Co
-----END PGP SIGNATURE-----

« Back to bulletins