ESB-2018.3094 - [Win][UNIX/Linux] Jenkins core: Access privileged data - Existing account 2018-10-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3094
                   Jenkins Security Advisory 2018-10-10
                              12 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Jenkins core
Publisher:         Jenkins
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Access Privileged Data -- Existing Account            
                   Create Arbitrary Files -- Existing Account            
                   Cross-site Scripting   -- Remote with User Interaction
                   Reduced Security       -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1999043  

Original Bulletin: 
   https://jenkins.io/security/advisory/2018-10-10/

- --------------------------BEGIN INCLUDED TEXT--------------------

Jenkins Security Advisory 2018-10-10

This advisory announces vulnerabilities in the following Jenkins deliverables:

  o Jenkins (core)

Descriptions

Path traversal vulnerability in Stapler allowed accessing internal data

SECURITY-867 / CVE pending

A path traversal vulnerability in Stapler allowed viewing routable objects
with views defined on any type. This could be used to access internal data of
routable objects, commonly by showing their string representation (#toString
()).

Arbitrary file write vulnerability using file parameter definitions

SECURITY-1074 / CVE pending

Users with Job/Configure permission could specify a relative path escaping the
base directory in the file name portion of a file parameter definition. This
path would be used to archive the uploaded file on the Jenkins master,
resulting in an arbitrary file write vulnerability.

File parameters that escape the base directory are no longer accepted and the
build will fail.

Reflected XSS vulnerability

SECURITY-1129 / CVE pending

The wrapper query parameter for the XML variant of the Jenkins remote API did
not validate the specified tag name. This resulted in a reflected cross-site
scripting vulnerability.

Only legal XML tag names are now allowed for the wrapper query parameter.

Ephemeral user record was created on some invalid authentication attempts

SECURITY-1162 / CVE-2018-1999043

When attempting to authenticate using API token, an ephemeral user record was
created to validate the token in case an external security realm was used, and
the user record in Jenkins not previously saved, as (legacy) API tokens could
exist without a persisted user record.

This behavior could be abused to create a large number of ephemeral user
records in memory.

This is the same vulnerability as SECURITY-672. The fix for SECURITY-672 was
previously incorrectly applied and therefore not effective. This has been
fixed.

Ephemeral user record creation

SECURITY-1128 / CVE pending

By accessing a specific crafted URL on Jenkins instances using Jenkins' own
user database, users without Overall/Read access could create ephemeral user
records.

This behavior could be abused to create a large number of ephemeral user
records in memory.

Accessing this URL now no longer results in a user record getting created.

Session fixation vulnerability on user signup

SECURITY-1158 / CVE pending

When signing up for a new user account on instances using Jenkins' own user
database, Jenkins did not invalidate the existing session and create a new
one. This allowed session fixation.

Jenkins now invalidates the existing session and creates a new one when
logging in after user signup.

Failures to process form submission data could result in secrets being
displayed or written to logs

SECURITY-765 / CVE pending

When Jenkins fails to process form submissions due to an internal error, the
error message shown to the user and written to the log typically includes the
serialized JSON form submission. Secrets, such as submitted passwords, might
be included with the JSON object, and shown or written to disk in plain text.

Jenkins now masks values in these error messages from view if they were shown
on the UI as password form fields.

Severity

  o SECURITY-765: low
  o SECURITY-867: medium
  o SECURITY-1074: medium
  o SECURITY-1128: medium
  o SECURITY-1129: medium
  o SECURITY-1158: medium
  o SECURITY-1162: medium

Affected Versions

  o Jenkins weekly up to and including 2.145
  o Jenkins LTS up to and including 2.138.1

Fix

  o Jenkins weekly should be updated to version 2.146
  o Jenkins LTS should be updated to version 2.138.2

These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:

  o Apple Information Security for SECURITY-867
  o Evan Grant of Tenable for SECURITY-1128, SECURITY-1129
  o Oleg Nenashev for SECURITY-1074
  o Sam Gleske for SECURITY-765
  o Wadeck Follonier, CloudBees, Inc. for SECURITY-1158
  o Zhao Xiaojie for SECURITY-1162

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW7/dWWaOgq3Tt24GAQjmBRAA253pwzy+/8PWLZMJ8XtVxshpfCUUuNIx
ExWR6RIyecoid7A7M1XIfAmeDq1W8qDtHbzIHeU8nFSNDrJz95d+xQAVb/Is9lOy
ILfR23fN3cV6YnQAY7bAw4RaQsr4IeaWLbA1zqMasjIsuKGhbLHWWokdmfzoS9UF
5MG+JRWW8gapL2Xliy+hOY80tXakC3+KB5Sool44iw2ybU4lByMe+dEP8qD78Ky4
VzDJsdcZmCmbfn7qli+uFue/y1LZ4Mw6vcvePLvv+e3oZYmGxXudDs94wzdLAMvP
cMgfJQWTsHUqh2JcT0Sy9PevrDJO+uQLOB7XrNmE5XtKqOOAf8GAlvhC64Q5KSmc
LdOlBfmrDIopjZlrFyaOUDHZYwSv/gWa+Xxtq1bZQevGJthSNM9m6I6CCS1eQ7ek
J50bt6R68bLoD/QZA5ebKG2qjPLY3LqOr+IdzN6V7v7N9JbYgcTI+45JjE6Hk9Dy
nT++P2Zlk3FcE1dfXNDEW7JBZ1u/MVKb+uAqTZgf05aFF+0fSpPFRBl2oxDNjJpB
uAWqQscv2pbfp/jkcI1Pit55+xPq9NTY556PUXn1j9gpguQQYa1pfyOtzyFLvmbf
efxMJRAm2MRW6CaKuKk+ExaMdSSdPdRToABIKBUS5+niaPXnKqb4j1kpOPrxsg5R
nR/0clSObxs=
=wqez
-----END PGP SIGNATURE-----

« Back to bulletins