ESB-2018.2217 - [Win][UNIX/Linux] Jenkins plugins: Access privileged data - Remote/unauthenticated 2018-07-31

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2217
                     Jenkins plugins Security Advisory
                               31 July 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Jenkins plugins
Publisher:         Jenkins
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Access Privileged Data     -- Remote/Unauthenticated      
                   Cross-site Request Forgery -- Remote with User Interaction
                   Cross-site Scripting       -- Existing Account            
                   Reduced Security           -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade

Original Bulletin: 
   https://jenkins.io/security/advisory/2018-07-30/

- --------------------------BEGIN INCLUDED TEXT--------------------

Jenkins Security Advisory 2018-07-30

This advisory announces vulnerabilities in the following Jenkins deliverables:

  o AccuRev Plugin
  o Agiletestware Pangolin Connector for TestRail Plugin
  o Anchore Container Image Scanner Plugin
  o Confluence Publisher Plugin
  o Inedo BuildMaster Plugin Plugin
  o Inedo ProGet Plugin Plugin
  o Kubernetes Plugin
  o Maven Artifact ChoiceListProvider (Nexus) Plugin
  o meliora-testlab Plugin
  o Publish Over CIFS Plugin
  o Resource Disposer Plugin
  o SaltStack Plugin
  o Shelve Project Plugin
  o SSH Agent Plugin
  o Tinfoil Security Plugin
  o TraceTronic ECU-TEST Plugin

Descriptions

SSH Agent Plugin could reveal SSH key passphrase when used inside pipeline

SECURITY-704 / CVE pending

When using the sshagent step inside a withDockerContainer block in Pipeline,
the resulting logging of the ssh-add command included the SSH key passphrase in
plain text.

The plugin no longer logs the ssh-add invocation that would reveal the
passphrase.

CSRF vulnerability and missing permission checks in Resource Disposer Plugin

SECURITY-997 / CVE pending

Resource Disposer Plugin did not perform permission checks on an API endpoint.
This allowed users with Overall/Read access to Jenkins to stop tracking a
specified resource.

Additionally, this API endpoint did not require POST requests, resulting in a
CSRF vulnerability.

This API endpoint now requires POST requests and Overall/Administer
permissions.

CSRF vulnerability and missing permission checks in Publish Over CIFS Plugin

SECURITY-975 / CVE pending

Publish Over CIFS Plugin did not perform permission checks on a method
implementing form validation. This allowed users with Overall/Read access to
Jenkins to initiate CIFS connections to an attacker specified host.

Additionally, this form validation method did not require POST requests,
resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer
permissions.

CSRF vulnerability and missing permission checks in Confluence Publisher Plugin


SECURITY-982 / CVE pending

Confluence Publisher Plugin did not perform permission checks on a method
implementing form validation. This allowed users with Overall/Read access to
Jenkins to submit login requests to Confluence using attacker-specified
credentials.

Additionally, this form validation method did not require POST requests,
resulting in a CSRF vulnerability.

This form validation method now require POST requests and Overall/Administer
permissions.

CSRF vulnerability and missing permission checks in Kubernetes Plugin allowed
capturing credentials

SECURITY-1016 / CVE pending

Kubernetes Plugin did not perform permission checks on a method implementing
form validation. This allowed users with Overall/Read access to Jenkins to
connect to an attacker-specified Kubernetes cluster using attacker-specified
credentials IDs obtained through another method, capturing credentials stored
in Jenkins.

Additionally, this form validation method did not require POST requests,
resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer
permissions.

Tinfoil Security Plugin stored API Secret Key in plain text

SECURITY-840 / CVE pending

Tinfoil Security Plugin stored the API Secret Key in its configuration
unencrypted in its global configuration file on the Jenkins master. This key
could be viewed by users with access to the master file system.

The plugin now integrates with Credentials Plugin. Existing configurations are
not migrated and will need to be reconfigured.

TraceTronic ECU-TEST Plugin globally and unconditionally disables SSL/TLS
certificate validation

SECURITY-932 / CVE pending

TraceTronic ECU-TEST Plugin unconditionally disabled SSL/TLS certificate
validation for the entire Jenkins master JVM.

TraceTronic ECU-TEST Plugin 2.4 and newer no longer does that. It now has an
option that allows disabling SSL/TLS certificate validation for specific
connections by this plugin.

CSRF vulnerability and missing permission checks in TraceTronic ECU-TEST Plugin
allowed server-side request forgery

SECURITY-994 / CVE pending

TraceTronic ECU-TEST Plugin did not perform permission checks on a method
implementing form validation. This allowed users with Overall/Read access to
Jenkins to connect to an attacker-specified URL, with the suffix /
app-version-info appended.

Additionally, this form validation method did not require POST requests,
resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer
permissions.

CSRF vulnerability and missing permission checks in SaltStack Plugin allowed
capturing credentials

SECURITY-1009 / CVE pending

SaltStack Plugin did not perform permission checks on methods implementing form
validation. This allowed users with Overall/Read access to Jenkins to connect
to an attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins, and to cause
Jenkins to submit HTTP requests to attacker-specified URLs.

Additionally, these form validation methods did not require POST requests,
resulting in a CSRF vulnerability.

These form validation methods now require POST requests and Overall/Administer
permissions.

CSRF vulnerability and missing permission checks in Accurev Plugin allowed
capturing credentials

SECURITY-1021 / CVE pending

Accurev Plugin did not perform permission checks on a method implementing form
validation. This allowed users with Overall/Read access to Jenkins to connect
to an attacker-specified Accurev server using attacker-specified credentials
IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these form validation methods did not require POST requests,
resulting in a CSRF vulnerability.

These form validation methods now require POST requests and Overall/Administer
permissions.

Stored Cross-Site Scripting Vulnerability in Shelve Project Plugin

SECURITY-1001 / CVE pending

Shelve Project Plugin did not escape the names of shelved projects on the UI,
potentially resulting in a stored XSS vulnerability.

Shelve Project Plugin 2.0 and newer now escapes the names of shelved projects
shown on the UI.

CSRF vulnerability and missing permission checks in Maven Artifact
ChoiceListProvider (Nexus) Plugin allowed capturing credentials

SECURITY-1022 / CVE pending

Maven Artifact ChoiceListProvider (Nexus) Plugin did not perform permission
checks on a method implementing form validation. This allowed users with
Overall/Read access to Jenkins to connect to an attacker-specified Nexus or
Artifactory server using attacker-specified credentials IDs obtained through
another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests,
resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer
permissions.

meliora-testlab Plugin stored API Key in plain text

SECURITY-847 / CVE pending

meliora-testlab Plugin stored the API Key in its configuration unencrypted in
its global configuration file on the Jenkins master. This key could be viewed
by users with access to the master file system.

Additionally, the API key was not masked from view using a password form field.

The plugin now stores the API Key encrypted in the configuration files on disk
and no longer transfers it to users viewing the configuration form in plain
text.

CSRF vulnerability and missing permission checks in Agiletestware Pangolin
Connector for TestRail Plugin allowed overriding plugin configuration

SECURITY-995 / CVE pending

Agiletestware Pangolin Connector for TestRail Plugin did not perform permission
checks on an API endpoint used to validate and save the plugin configuration.
This allowed users with Overall/Read access to Jenkins to override the plugin
configuration.

Additionally, the API endpoint did not require POST requests, resulting in a
CSRF vulnerability.

This API endpoint now requires POST requests and Overall/Administer
permissions.

Anchore Container Image Scanner Plugin stored password in plain text

SECURITY-1039 / CVE pending

Anchore Container Image Scanner Plugin stored the password in its configuration
unencrypted in its global configuration file on the Jenkins master. This
password could be viewed by users with access to the master file system.

The plugin now stores the password encrypted in the configuration files on disk
and no longer transfers it to users viewing the configuration form in plain
text.

Inedo ProGet Plugin globally and unconditionally disabled SSL/TLS certificate
validation

SECURITY-933 / CVE pending

Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate validation for
the entire Jenkins master JVM.

The plugin now has an option, disabled by default, to disable SSL/TLS
certificate validation that only applies to its own connections.

Inedo BuildMaster Plugin globally and unconditionally disabled SSL/TLS
certificate validation

SECURITY-935 / CVE pending

Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate validation for
the entire Jenkins master JVM.

The plugin now has an option, disabled by default, to disable SSL/TLS
certificate validation that only applies to its own connections.

Severity

  o SECURITY-704: low
  o SECURITY-997: low
  o SECURITY-975: medium
  o SECURITY-982: medium
  o SECURITY-1016: medium
  o SECURITY-840: low
  o SECURITY-932: medium
  o SECURITY-994: medium
  o SECURITY-1009: medium
  o SECURITY-1021: medium
  o SECURITY-1001: medium
  o SECURITY-1022: medium
  o SECURITY-847: low
  o SECURITY-995: medium
  o SECURITY-1039: low
  o SECURITY-933: medium
  o SECURITY-935: medium

Affected Versions

  o AccuRev Plugin up to and including 0.7.16
  o Agiletestware Pangolin Connector for TestRail Plugin up to and including
    2.1
  o Anchore Container Image Scanner Plugin up to and including 1.0.16
  o Confluence Publisher Plugin up to and including 2.0.1
  o Inedo BuildMaster Plugin Plugin up to and including 1.3
  o Inedo ProGet Plugin Plugin up to and including 0.8
  o Kubernetes Plugin up to and including 1.10.1
  o Maven Artifact ChoiceListProvider (Nexus) Plugin up to and including 1.3.1
  o meliora-testlab Plugin up to and including 1.14
  o Publish Over CIFS Plugin up to and including 0.10
  o Resource Disposer Plugin up to and including 0.11
  o SaltStack Plugin up to and including 3.1.6
  o Shelve Project Plugin up to and including 1.5
  o SSH Agent Plugin up to and including 1.15
  o Tinfoil Security Plugin up to and including 1.6.1
  o TraceTronic ECU-TEST Plugin up to and including 2.3

Fix

  o AccuRev Plugin should be updated to version 0.7.17
  o Agiletestware Pangolin Connector for TestRail Plugin should be updated to
    version 2.2
  o Anchore Container Image Scanner Plugin should be updated to version 1.0.17
  o Confluence Publisher Plugin should be updated to version 2.0.2
  o Inedo BuildMaster Plugin Plugin should be updated to version 2.0
  o Inedo ProGet Plugin Plugin should be updated to version 1.0
  o Kubernetes Plugin should be updated to version 1.10.2
  o Maven Artifact ChoiceListProvider (Nexus) Plugin should be updated to
    version 1.3.2
  o meliora-testlab Plugin should be updated to version 1.15
  o Publish Over CIFS Plugin should be updated to version 0.11
  o Resource Disposer Plugin should be updated to version 0.12
  o SaltStack Plugin should be updated to version 3.1.7
  o Shelve Project Plugin should be updated to version 2.0
  o SSH Agent Plugin should be updated to version 1.16
  o Tinfoil Security Plugin should be updated to version 2.0
  o TraceTronic ECU-TEST Plugin should be updated to version 2.4

These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:

  o Daniel Beck, CloudBees, Inc. for SECURITY-932, SECURITY-933, SECURITY-935
  o Jan Hollevoet for SECURITY-704
  o Oleg Nenashev for SECURITY-1016, SECURITY-1009, SECURITY-1021,
    SECURITY-1001, SECURITY-1022
  o Viktor Gazdag for SECURITY-975, SECURITY-982, SECURITY-840, SECURITY-994,
    SECURITY-847, SECURITY-995, SECURITY-1039

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW1+/VmaOgq3Tt24GAQhN6hAAjyvs2PvBdtqGyH5KCYUB8RCDMqdf8QDd
U1++RmoUVm9qhNtBPrZwPpzFrWHYaboCvlJYF8YcAu4G3cajIQBeoUhgzzR/Jw+6
D069fQdto1Gzr4bctQjbJkVMGZoS67VuzxApjNjYZmf00fGJr6X2L2vOKeMWK+Wg
jW6RGcVWS+RFejYjQITtNP51HBVpsoFGAGWQy3II2y3bHDzEdYCHa0YC/GJJ/yUh
SXN4gxpnon/uK2QnLT1I684GP7US83IEL/L6GZlkGbb551M3UdYHeXcc/Cg5+Px9
QeL+1Is88AaKi5+5HfLQYRUBUiKiTW55fVR42msEzR0Pz7VIcrRk4jrhynUlw/Y9
KhS6f8JH5pnU4aB9Ag2P6HsfwLjpBrlRak0tkFecHODgaxC6kF6GJ68atTnSK6oB
bZQ4XYoBaKCIEx6aHUzWuBpdDjA+IsPTr3inl4Motwmxl0gRnqHT+jOP8mlPuGoQ
WGliERc3DSgcuEcidq4ex/dYM5EY9fHgnGZSmJASNef6qQnyzhvy99zdgoZHy2PU
H+2W32omL1s3MldVkMshJdON60fikaV/EO5TrL8xIuQi/QRbNqTLweUr9r2UnNKR
VCF1FDrfOoCohRlbpkDIMHL5hZAdtlhn75V7PoOY5JA1Nq/sBhjsY6HSp9naMZLR
wAjM9e3n2ZE=
=/JHs
-----END PGP SIGNATURE-----

« Back to bulletins