ESB-2018.1854 - [Win][UNIX/Linux] Jenkins plugins: Multiple vulnerabilities 2018-06-26

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1854
                      Jenkins plugins security update
                               26 June 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Jenkins plugins
Publisher:         Jenkins
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Access Privileged Data     -- Existing Account            
                   Modify Arbitrary Files     -- Existing Account            
                   Cross-site Request Forgery -- Remote with User Interaction
                   Cross-site Scripting       -- Existing Account            
                   Unauthorised Access        -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1000610 CVE-2018-1000609 CVE-2018-1000608
                   CVE-2018-1000607 CVE-2018-1000606 CVE-2018-1000605
                   CVE-2018-1000604 CVE-2018-1000603 CVE-2018-1000602
                   CVE-2018-1000601 CVE-2018-1000600 CVE-2018-1000404
                   CVE-2018-1000403 CVE-2018-1000402 CVE-2018-1000401

Original Bulletin: 
   https://jenkins.io/security/advisory/2018-06-25/

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Advisories - Jenkins Security Advisory 2018-06-25

Jenkins Security Advisory 2018-06-25

This advisory announces vulnerabilities in the following Jenkins deliverables:

  * AWS CodeBuild Plugin
  * AWS CodeDeploy Plugin
  * AWS CodePipeline Plugin
  * Badge Plugin
  * CollabNet Plugins Plugin
  * Configuration as Code Plugin
  * Credentials Plugin
  * Fortify CloudScan Plugin
  * GitHub Plugin
  * IBM z/OS Connector Plugin
  * Openstack Cloud Plugin
  * SAML Plugin
  * SSH Credentials Plugin
  * URLTrigger Plugin

Descriptions

CSRF vulnerability and missing permission checks in GitHub Plugin allowed
capturing credentials

SECURITY-915 / CVE-2018-1000600

A form action method in GitHub Plugin did not check the permission of the user
accessing it, allowing anyone with Overall/Read access to Jenkins to cause
Jenkins to send a GitHub API request to create an API token to a an attacker
specified URL.

This allowed users with Overall/Read access to Jenkins to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests,
resulting in a CSRF vulnerability.

The form validation method now requires POST requests and the Overall/
Administer permission.

Arbitrary file read vulnerability in SSH Credentials Plugin with Credentials
Binding Plugin

SECURITY-440 / CVE-2018-1000601

SSH Credentials Plugin allowed the creation of SSH credentials with keys "From
a file on Jenkins master". Credentials Binding Plugin 1.13 and newer allows
binding SSH credentials to environment variables. In combination, these two
features allow users with the permission to configure a job to read arbitrary
files on the Jenkins master by creating an SSH credential referencing an
arbitrary file on the Jenkins master, and binding it to an environment variable
in a job.

SSH Credentials Plugin does no longer support SSH credentials from files on the
Jenkins master file system, both user-specified file paths, and ~/.ssh.
Existing SSH credentials of these kinds are migrated to "directly entered" SSH
credentials.

     If Blue Ocean is installed, it needs to be updated to 1.5.1 or 1.6.1, or
Note the creation of pipelines for plain Git will not work anymore after
     installing the fix for this issue.

HTTP session fixation vulnerability in SAML Plugin

SECURITY-916 / CVE-2018-1000602

SAML Plugin did not invalidate the previous session and create a new one upon
successful login, allowing attackers able to control or obtain another user?s
pre-login session ID to impersonate them.

SAML Plugin now invalidates the previous session during login, and creates a
new one.

CSRF vulnerability and missing permission checks in Openstack Cloud Plugin
allowed capturing credentials

SECURITY-808 / CVE-2018-1000603

Openstack Cloud Plugin did not perform permission checks on methods
implementing form validation. This allowed users with Overall/Read access to
Jenkins to connect to an attacker-specified URL using attacker-specified
credentials IDs obtained through another method, capturing credentials stored
in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified
URLs.

Additionally, these form validation methods did not require POST requests,
resulting in a CSRF vulnerability.

These form validation methods now require POST requests and Overall/Administer
permissions.

AWS CodeDeploy Plugin persisted possibly sensitive environment variables in job
configuration

SECURITY-825 / CVE-2018-1000402

AWS CodeDeploy Plugin could persist environment variables from the last run of
any project with the post-build step configured in the job?s config.xml file.

In some cases, this allowed users with file system access or Extended Read
permission to obtain those potentially sensitive environment variables by
accessing the project?s config.xml.

AWS CodeDeploy Plugin 1.20 and newer no longer stores build environment
variables on disk. Existing job config.xml will retain the stored environment
variables until the job configuration is saved again.

AWS CodeDeploy Plugin stored AWS Secret Key in plain text

SECURITY-833 / CVE-2018-1000403

AWS CodeDeploy Plugin stored the AWS Secret Key in its configuration
unencrypted in jobs' config.xml files and its global configuration file on the
Jenkins master. This key could be viewed by users with Extended Read
permission, or access to the master file system.

While masked from view using a password form field, the AWS Secret Key was
transferred in plain text to users when accessing the job configuration form.

AWS CodeDeploy Plugin 1.20 and newer stores the AWS Secret Key encrypted in the
configuration files on disk and no longer transfers it to users viewing the
configuration form in plain text. Existing jobs need to have their
configuration saved for existing plain text secret keys to be overwritten.

AWS CodeBuild Plugin stored AWS Secret Key in plain text

SECURITY-834 / CVE-2018-1000404

AWS CodeBuild Plugin stored the AWS Secret Key in its configuration unencrypted
in jobs' config.xml files on the Jenkins master. This key could be viewed by
users with Extended Read permission, or access to the master file system.

While masked from view using a password form field, the AWS Secret Key was
transferred in plain text to users when accessing the job configuration form.

AWS CodeBuild Plugin 0.27 and newer stores the AWS Secret Key encrypted in the
configuration file on disk and no longer transfers it to users viewing the
configuration form in plain text. Existing jobs need to have their
configuration saved for existing plain text secret keys to be overwritten.

AWS CodePipeline Plugin stored AWS Secret Key in plain text

SECURITY-967 / CVE-2018-1000401

AWS CodePipeline Plugin stored the AWS Secret Key in its configuration
unencrypted in jobs' config.xml files on the Jenkins master. This key could be
viewed by users with Extended Read permission, or access to the master file
system.

While masked from view using a password form field, the AWS Secret Key was
transferred in plain text to users when accessing the job configuration form.

AWS CodePipeline Plugin 0.37 and newer stores the AWS Secret Key encrypted in
the configuration file on disk and no longer transfers it to users viewing the
configuration form in plain text. Existing jobs need to have their
configuration saved for existing plain text secret keys to be overwritten.

Persisted cross-site scripting vulnerability in Badge Plugin

SECURITY-906 / CVE-2018-1000604

Badge Plugin stored and displayed user-provided HTML for badges and summaries
unprocessed, allowing users with the ability to control badge content to store
malicious HTML to be displayed within Jenkins.

Badge Plugin 1.5 and newer sanitizes the provided HTML for display on the
Jenkins web UI.

CollabNet Plugin globally and unconditionally disables SSL/TLS certificate
validation

SECURITY-941 / CVE-2018-1000605

CollabNet Plugin disabled SSL/TLS certificate validation for the entire Jenkins
master JVM by default.

CollabNet Plugin 2.0.5 and newer no longer does that. It instead requires users
to opt in to disabling SSL/TLS certificate validation by setting the system
property hudson.plugins.collabnet.CollabNetPlugin.skipSslValidation to true.
This feature applies to connections by this plugin only.

Server-side request forgery vulnerability in URLTrigger Plugin

SECURITY-819 / CVE-2018-1000606

A form validation method in URLTrigger Plugin did not check the permission of
the user accessing them, allowing anyone with Overall/Read access to Jenkins to
cause Jenkins to send a GET request to a specified URL.

Additionally, this form validation method did not require POST requests,
resulting in a CSRF vulnerability.

This form validation method now no longer connects to a user provided URL.

Arbitrary file write vulnerability in Fortify CloudScan Plugin

SECURITY-870 / CVE-2018-1000607

Fortify CloudScan Plugin did not validate file names in rulepack ZIP archives
it extracts, resulting in an arbitrary file write vulnerability.

Fortify CloudScan Plugin 1.5.2 and newer rejects relative paths escaping the
ZIP extraction base directory.

IBM z/OS Connector Plugin stores password in plain text

SECURITY-950 / CVE-2018-1000608

IBM z/OS Connector Plugin did not encrypt password credentials stored in its
configuration. This could be used by users with master file system access to
obtain the password.

While masked from view using a password form field, the AWS Secret Key was
transferred in plain text to administrators when accessing the global
configuration form.

IBM z/OS Connector Plugin 2.0.0 and newer integrates with Credentials Plugin,
no longer storing credentials itself.

Configuration as Code Plugin allowed anyone with Overall/Read access to export
Jenkins configuration

SECURITY-927 / CVE-2018-1000609

Configuration as Code Plugin lacked a permission check in the method handling
the URL exporting the system configuration. This allowed users with Overall/
Read access to Jenkins to obtain this YAML export.

This permission check has been added in Configuration as Code Plugin 0.8-alpha.

Configuration as Code Plugin logged passwords in clear text

SECURITY-929 / CVE-2018-1000610

Configuration as Code Plugin logged secrets set via its configuration to the
Jenkins master system log in plain text. This allowed users with access to the
Jenkins log files to obtain these passwords and similar secrets.

Secrets are now masked when logging configuration.

Severity

  * SECURITY-915: medium
  * SECURITY-440: medium
  * SECURITY-916: medium
  * SECURITY-808: medium
  * SECURITY-825: medium
  * SECURITY-833: medium
  * SECURITY-834: medium
  * SECURITY-967: medium
  * SECURITY-906: medium
  * SECURITY-941: medium
  * SECURITY-819: medium
  * SECURITY-870: medium
  * SECURITY-950: low
  * SECURITY-927: medium
  * SECURITY-929: medium

Affected Versions

  * AWS CodeBuild Plugin up to and including 0.26
  * AWS CodeDeploy Plugin up to and including 1.19
  * AWS CodePipeline Plugin up to and including 0.36
  * Badge Plugin up to and including 1.4
  * CollabNet Plugins Plugin up to and including 2.0.4
  * Configuration as Code Plugin up to and including 0.7-alpha
  * Credentials Plugin up to and including 2.1.16
  * Fortify CloudScan Plugin up to and including 1.5.1
  * GitHub Plugin up to and including 1.29.1
  * IBM z/OS Connector Plugin up to and including 1.2.6.1
  * Openstack Cloud Plugin up to and including 2.35
  * SAML Plugin up to and including 1.0.6
  * SSH Credentials Plugin up to and including 1.13
  * URLTrigger Plugin up to and including 0.41

Fix

  * AWS CodeBuild Plugin should be updated to version 0.27
  * AWS CodeDeploy Plugin should be updated to version 1.20
  * AWS CodePipeline Plugin should be updated to version 0.37
  * Badge Plugin should be updated to version 1.5
  * CollabNet Plugins Plugin should be updated to version 2.0.5
  * Configuration as Code Plugin should be updated to version 0.8-alpha
  * Credentials Plugin should be updated to version 2.1.17
  * Fortify CloudScan Plugin should be updated to version 1.5.2
  * GitHub Plugin should be updated to version 1.29.2
  * IBM z/OS Connector Plugin should be updated to version 2.0.0
  * Openstack Cloud Plugin should be updated to version 2.36
  * SAML Plugin should be updated to version 1.0.7
  * SSH Credentials Plugin should be updated to version 1.14
  * URLTrigger Plugin should be updated to version 0.42

These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:

  * Daniel Beck, CloudBees, Inc. for SECURITY-941
  * Jesse Glick, CloudBees, Inc. for SECURITY-440
  * Oleg Nenashev, CloudBees, Inc. for SECURITY-825
  * Orange Tsai(@orange_8361) from DEVCORE for SECURITY-915
  * Snyk Security Research Team for SECURITY-870
  * Thomas de Grenier de Latour for SECURITY-808, SECURITY-819
  * Viktor Gazdag for SECURITY-833, SECURITY-834, SECURITY-967, SECURITY-950

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWzF9OmaOgq3Tt24GAQg2thAAickd45fZu9QNP3qh4/A4I5rkWvQ3wuGt
Oh1W93Q9JQaXxANzNnKWlqtdIE9HuR8O5gnZofDHNnYWq1nGtoxqtOa4dDarAhGW
mpoSpRfBg6SzP5Pubu1zjjKT7X9ngRXkPCen+5uGOxt7PTah0iq5sgMz/HFGw70c
oWHwQBbaphcjiC/BYUiQHABbPgmx7+YjQmr1CdpEH9C8YWntfXmfs9XsO/sNc6o0
goyj77rv9MHd1zE2tGqgAepbWEypdWeELLXz7ui2h8r4i/rKQxJTqIErtkXluNrb
FHs/wiJz+jKd5djgP2aBbOBRFKjMCbcOzGDF0YWUGBpLAybtsnEwBN7z2Qh7B3Jg
WaSQbnVhm6j6xWXdWIplNbeldsYdQCddNry7wKjFR0RRtnAMu5w6P+QFXBJxQifO
FEKFD2f2wN4SfjVznl+f2puS2A+OkR7IPqz3KL0RiIJmytd+krKWe0qu4DatZ77h
Vu1dbsQNhO0cK/zMW+DGVCov90uJ2rJLd50fMdvq7Pz+Av9a0se0CgEY9Yc2ZrS4
Fidnltc/Vba0t+h+i2iSp8192Oc1OXL7LZVo+KzQfGW9QH3HJ+0cZrU1PMQvN//7
WCrFhpFhntxtA6wYRpSMeApa8A9dBBR3VoLYMMh9POJUgR79taaa3YUj/ReIUJwC
d9uRNBz3zms=
=7f8B
-----END PGP SIGNATURE-----

« Back to bulletins