ESB-2018.2103 - ALERT [Win][UNIX/Linux] Jenkins: Multiple vulnerabilities 2018-07-19

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2103
                   Jenkins Security Advisory 2018-07-18
                               19 July 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Jenkins
Publisher:         Jenkins
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Administrator Compromise   -- Remote/Unauthenticated
                   Increased Privileges       -- Existing Account      
                   Cross-site Request Forgery -- Existing Account      
                   Access Confidential Data   -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1999007 CVE-2018-1999006 CVE-2018-1999005
                   CVE-2018-1999004 CVE-2018-1999003 CVE-2018-1999002
                   CVE-2018-1999001  

Original Bulletin: 
   https://jenkins.io/security/advisory/2018-07-18/

- --------------------------BEGIN INCLUDED TEXT--------------------

Jenkins Security Advisory 2018-07-18

This advisory announces vulnerabilities in the following Jenkins deliverables:

    Jenkins (core)

Descriptions

Users without Overall/Read permission can have Jenkins reset parts of global 
configuration on the next restart

SECURITY-897 / CVE-2018-1999001

Unauthenticated users could provide maliciously crafted login credentials that
cause Jenkins to move the config.xml file from the Jenkins home directory. 
This configuration file contains basic configuration of Jenkins, including the
selected security realm and authorization strategy. If Jenkins is started 
without this file present, it will revert to the legacy defaults of granting 
administrator access to anonymous users.

The fix prevents this behavior.

To mitigate this problem, we strongly advise that administrators of Jenkins 
instances without this fix, that are reachable by untrusted users, save the 
global configuration shortly before shutting down Jenkins. Doing so will write
the current configuration from memory to the config.xml file, which is only 
read on startup or when reloading configuration.

If Jenkins has already been shut down after this issue has been exploited, the
config.xml file can be found at users/$002e$002e/config.xml in the Jenkins 
home directory.

This issue was caused by the fix for SECURITY-499 in the 2017-11-08 security 
advisory.

Arbitrary file read vulnerability

SECURITY-914 / CVE-2018-1999002

An arbitrary file read vulnerability in the Stapler web framework used by 
Jenkins allowed unauthenticated users to send crafted HTTP requests returning
the contents of any file on the Jenkins master file system that the Jenkins 
master process has access to.

Input validation in Stapler has been improved to prevent this.

Unauthorized users could cancel queued builds

SECURITY-891 / CVE-2018-1999003

The URLs handling cancellation of queued builds did not perform a permission 
check, allowing users with Overall/Read permission to cancel queued builds.

The URLs handling cancellation of queued builds now ensure that the user has 
the Item/Cancel permission.

Unauthorized users could initiate and abort agent launches

SECURITY-892 / CVE-2018-1999004

The URL that initiates agent launches on the Jenkins master did not perform a
permission check, allowing users with Overall/Read permission to initiate 
agent launches.

Doing so canceled all ongoing launches for the specified agent, so this 
allowed attackers to prevent an agent from launching indefinitely.

The URL for agent launches now ensures that the user has the Agent/Connect 
permission.

Stored XSS vulnerability

SECURITY-944 / CVE-2018-1999005

The build timeline widget shown on URLs like /view//builds did not properly 
escape display names of items. This resulted in a cross-site scripting 
vulnerability exploitable by users able to control item display names.

Jenkins now escapes job display names shown on the timeline widget.

Unauthorized users are able to determine when a plugin was extracted from its
JPI package

SECURITY-925 / CVE-2018-1999006

Files indicating when a plugin JPI file was last extracted into a subdirectory
of plugins/ in the Jenkins home directory were accessible via HTTP by users 
with Overall/Read permission. This allowed unauthorized users to determine the
likely install date of a given plugin.

The affected files are no longer available via HTTP.

XSS vulnerability in Stapler debug mode

SECURITY-390 / CVE-2018-1999007

Stapler is the web framework used by Jenkins to route HTTP requests. When its
debug mode is enabled, HTTP 404 error pages display diagnostic information. 
Those error pages did not escape parts of URLs they displayed, in rare cases 
resulting in a cross-site scripting vulnerability.

Parts of URLs displayed on these error pages are now properly escaped.

As a workaround, Stapler debug mode should not be enabled on instances 
accessible to untrusted users.

Severity

SECURITY-897: high 
SECURITY-914: high
SECURITY-891: medium 
SECURITY-892: medium 
SECURITY-944: medium 
SECURITY-925: medium 
SECURITY-390: medium

Affected Versions

    Jenkins weekly up to and including 2.132 Jenkins LTS up to and including 
    2.121.1

Fix

    Jenkins weekly should be updated to version 2.133 Jenkins LTS should be 
    updated to version 2.121.2

These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless 
otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and 
reporting these vulnerabilities:

    AZZAZ Yasmine, IT Security Engineer for SECURITY-944

    Daniel Beck, CloudBees, Inc. for SECURITY-925, SECURITY-390

    Nimrod Stoler of CyberArk Labs for SECURITY-897, SECURITY-891, 
    SECURITY-892

    Orange Tsai(@orange_8361) from DEVCORE for SECURITY-914

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW1AgbmaOgq3Tt24GAQheVBAAvm4fFd3JAKPjOiBYTgOkf76r6lNxdpTb
T7QTh1ALvpC14AEOrQ2c5zgD4OfCkBD9XA9kuVscAKteErt6p5eMri1REELG1pQg
ZRLyzCdGHU4s3vTZmNj/nPfprJ0VAXVnuv6GZCa/iEN34Zq2HDEX2tBasuhAgumf
ff1OvswH2mQPE784CTjTxW0pSRIuC8PWtSZHhAO/Fg0F3dloAH7egxdTiQi9luHF
Mue0D+jbx+k4VwMO9UUCCFgSQdgzUvCFPZFS4+3Y5Q/h/wCLwXvXzV/RaGgLnJCX
8sCGmGFnZY5mLx7DBwn8yroGYyOdCGP0wrQ3RBucIT4B27cItnAl0VbMTWPQoZ1j
nrEtx03iffGATtxzxNE+lRu9ovL1QyFb8LVu6MvXJOHHSJz5FuN2DtnaoWlRPDwa
WrVkBWHUZENBCvvxn9pbGyuzLYIWcdYFaXptKhXG/qXDiBZkwrwe685cbJm0/Okg
KreP00yIusBcMdDvz9kww9gVNUEn7HpnCei2ZzHg/A3sKTr110oNauFPESiPAnAo
wMAbXhAZPHK9w7RVJTaxOAf9qxKBTspyK7B0EdMbSP4pvoqW3iQo3++1FjxnzPBv
/A/yYky5QumMEtSTl9cL272+QuLe5XBCmxRL4aH+L8Zade2N1mpLmPZsAKrRSykR
mQT+SuL8RxU=
=/VBB
-----END PGP SIGNATURE-----

« Back to bulletins