ESB-2019.0265 - [Win][UNIX/Linux] Jenkins Plugins: Execute arbitrary code/commands - Remote with user interaction 2019-01-31

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0265
                   Jenkins Security Advisory 2019-01-28
                              31 January 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Jenkins Plugins
Publisher:         Jenkins
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Cross-site Request Forgery      -- Remote with User Interaction
                   Cross-site Scripting            -- Existing Account            
                   Denial of Service               -- Existing Account            
                   Provide Misleading Information  -- Remote with User Interaction
                   Access Confidential Data        -- Existing Account            
Resolution:        Patch/Upgrade

Original Bulletin: 
   https://jenkins.io/security/advisory/2019-01-28/

- --------------------------BEGIN INCLUDED TEXT--------------------

Jenkins Security Advisory 2019-01-28

This advisory announces vulnerabilities in the following Jenkins deliverables:

  o Active Directory Plugin
  o Blue Ocean Plugin
  o Config File Provider Plugin
  o Git Plugin
  o GitHub Authentication Plugin
  o Groovy Plugin
  o Job Import Plugin
  o Job Import Plugin
  o Kanboard Plugin
  o Monitoring Plugin
  o OpenId Connect Authentication Plugin
  o Script Security Plugin
  o Token Macro Plugin
  o Warnings Plugin
  o Warnings Next Generation Plugin
  o Warnings Next Generation Plugin

Descriptions

Sandbox Bypass in Script Security Plugin

SECURITY-1292 / CVE pending

Script Security sandbox protection could be circumvented during the script
compilation phase by applying AST transforming annotations such as @Grab to
source code elements.

This affected an HTTP endpoint used to validate a user-submitted Groovy script
that was not covered in the 2019-01-08 fix for SECURITY-1266 and allowed users
with Overall/Read permission to bypass the sandbox protection and execute
arbitrary code on the Jenkins master.

The affected HTTP endpoint now applies a safe Groovy compiler configuration
prohibiting unsafe AST transforming annotations.

Sandbox Bypass in Groovy Plugin

SECURITY-1293 / CVE pending

Groovy Plugin has a form validation HTTP endpoint used to validate a
user-submitted Groovy script through compilation, which was not subject to
sandbox protection. This allowed attackers with Overall/Read access to execute
arbitrary code on the Jenkins master by applying AST transforming annotations
such as @Grab to source code elements.

The affected HTTP endpoint now applies a safe Groovy compiler configuration
preventing the use of unsafe AST transforming annotations.

Sandbox Bypass via CSRF in Warnings Plugin

SECURITY-1295 (1) / CVE pending

Warnings Plugin has a form validation HTTP endpoint used to validate a
user-submitted Groovy script through compilation, which was not subject to
sandbox protection. The endpoint checked for the Overall/RunScripts permission,
but did not require POST requests, so it was vulnerable to cross-site request
forgery (CSRF). This allowed attackers to execute arbitrary code on the Jenkins
master by applying AST transforming annotations such as @Grab to source code
elements.

The affected HTTP endpoint now applies a safe Groovy compiler configuration
preventing the use of unsafe AST transforming annotations. Additionally, the
form validation HTTP endpoint now requires that requests be sent via POST to
prevent CSRF.

Sandbox Bypass via CSRF in Warnings Next Generation Plugin

SECURITY-1295 (2) / CVE pending

Warnings Next Generation Plugin has a form validation HTTP endpoint used to
validate a Groovy script through compilation, which was not subject to sandbox
protection. The endpoint checked for the Overall/RunScripts permission, but did
not require POST requests, so it was vulnerable to cross-site request forgery
(CSRF). This allowed attackers to execute arbitrary code on the Jenkins master
by applying AST transforming annotations such as @Grab to source code elements.

The affected HTTP endpoint now applies a safe Groovy compiler configuration
preventing the use of unsafe AST transforming annotations. Additionally, the
form validation HTTP endpoint now requires that requests be sent via POST to
prevent CSRF.

Improper certificate validation with StartTLS in Active Directory Plugin

SECURITY-859 / CVE pending

Active Directory Plugin performs TLS upgrade (StartTLS) after connecting to
domain controllers through insecure LDAP. In this mode, certificates were not
properly validated, effectively trusting all certificates, allowing
man-in-the-middle attacks.

This only affected TLS upgrades. The LDAPS mode, available by setting the
system property
hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps to
true, was unaffected.

The plugin now properly validates certificates according to the TLS trust
configuration when performing a TLS upgrade.

CSRF vulnerability in Git Plugin

SECURITY-1095 / CVE pending

Git Plugin allows the creation of a tag in a job workspace's Git repository
with accompanying metadata attached to a build record.

The HTTP endpoint to create the tag did not require POST requests, resulting in
a CSRF vulnerability.

The HTTP endpoint to create the tag now requires that requests are sent via
POST.

Recursive token expansion results in information disclosure and DoS in Token
Macro Plugin

SECURITY-1102 / CVE pending

Token Macro Plugin recursively applied token expansion.

This could be used by users able to affect input to token expansion (such as
change log messages), to inject additional tokens into the input, which would
then be expanded, resulting in information disclosure (for example values of
environment variables), or denial of service.

Most tokens have been changed to no longer recursively apply token expansion.

Blue Ocean did not require CSRF tokens

SECURITY-1201 / CVE pending

Blue Ocean did not require CSRF tokens ("crumbs") for POST requests with the
Content-Type: application/json.

Blue Ocean now requires that valid CSRF tokens are present in POST requests.

XSS vulnerability via user description in Blue Ocean

SECURITY-1204 / CVE pending

Blue Ocean did not properly escape HTML/JavaScript content set on the current
user's description field, resulting in a cross-site scripting vulnerability
exploitable by administrators and other people accessing Jenkins with the same
user account.

Blue Ocean now properly escapes HTML/JavaScript content set on the current
user's description field.

XSS vulnerability in Config File Provider Plugin

SECURITY-1253 / CVE pending

Config File Provider Plugin improperly handled script names in its
JavaScript-based UI, resulting in a stored cross-site scripting (XSS)
vulnerability.

Config File Provider Plugin now properly handles script names.

XXE vulnerability in Job Import Plugin

SECURITY-905 (1) / CVE pending

Job Import Plugin allows to import jobs from other Jenkins instances. As a
first step in this process, Job Import Plugin sends a request to another
Jenkins instance, parsing XML REST API output to obtain a list of jobs that
could be imported.

Job Import Plugin did not configure the XML parser in a way that would prevent
XML External Entity (XXE) processing. This allowed attackers able to control
either the server Jenkins will query, or the URL Jenkins queries, to have it
parse a maliciously crafted XML response that uses external entities for
extraction of secrets from the Jenkins master, server-side request forgery, or
denial-of-service attacks.

External entity resolution has been disabled for the XML parser used in Job
Import Plugin 3.0.

CSRF vulnerability and missing permission checks in Job Import Plugin allowed
capturing credentials

SECURITY-905 (2) / CVE pending

Job Import Plugin did not check user permissions on its API endpoint used to
access remote Jenkins instances. This allowed users with Overall/Read access to
Jenkins to connect to an attacker-specified URL using attacker-specified
credentials IDs obtained through another method, capturing credentials stored
in Jenkins.

Job Import Plugin 3.0 will only access Jenkins instances using credentials
defined in the global configuration.

CSRF vulnerability in Job Import Plugin allowed creating and overwriting jobs,
installing some plugins

SECURITY-1302 / CVE pending

Job Import Plugin did not require that POST requests are sent to its /import
URL, which processes requests to import jobs. This resulted in a cross-site
request forgery (CSRF) vulnerability that could be exploited to create or
replace jobs on the local instance if the remote Jenkins instance has different
ones with the same name, or to install additional plugins, if jobs on the
remote Jenkins instance reference them in their configuration.

Job Import Plugin 3.0 restricted which remote Jenkins instances jobs can be
imported from, limiting how this can be exploited. From Job Import Plugin 3.1,
the /import URL requires that requests are sent via POST.

GitHub Authentication Plugin showed plain text client secret in configuration
form

SECURITY-602 / CVE pending

GitHub Authentication Plugin stores the client secret in the global Jenkins
configuration.

While the client secret is stored encrypted on disk, it was transmitted in
plain text as part of the configuration form and displayed without masking.
This could result in exposure of the client secret through browser extensions,
cross-site scripting vulnerabilities, and similar situations.

GitHub Authentication Plugin now encrypts the client secret transmitted to
administrators viewing the global security configuration form.

Session fixation vulnerability in GitHub Authentication Plugin

SECURITY-797 / CVE pending

GitHub Authentication Plugin did not invalidate the previous session and create
a new one upon successful login, allowing attackers able to control or obtain
another user's pre-login session ID to impersonate them.

GitHub Authentication Plugin now invalidates the previous session during login
and creates a new one.

CSRF vulnerability and missing permission checks in Kanboard Plugin allowed
server-side request forgery

SECURITY-818 / CVE pending

Kanboard Plugin did not perform permission checks on a method implementing form
validation. This allowed users with Overall/Read access to Jenkins to submit a
GET request to an attacker-specified URL.

Additionally, this form validation method did not require POST requests,
resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer
permissions.

OpenId Connect Authentication Plugin showed plain text client secret in
configuration form

SECURITY-886 / CVE pending

OpenId Connect Authentication Plugin stores the client secret in the global
Jenkins configuration.

While the client secret is stored encrypted on disk, it was transmitted in
plain text as part of the configuration form and displayed without masking.
This could result in exposure of the client secret through browser extensions,
cross-site scripting vulnerabilities, and similar situations.

The OpenId Connect Authentication Plugin now encrypts the client secret
transmitted to administrators viewing the global configuration form.

Monitoring Plugin did not apply CSRF protection even if enabled in Jenkins

SECURITY-1153 / CVE pending

Monitoring Plugin provides a standalone JavaMelody servlet with an independent
CSRF protection configuration. Even if Jenkins had CSRF protection enabled,
Monitoring Plugin may not have it enabled.

Monitoring Plugin now checks on startup whether Jenkins has CSRF protection
enabled and enables its own CSRF protection accordingly.

     Monitoring Plugin does not take into account configuration changes applied
Note after Jenkins startup or after Monitoring Plugin finishes loading.
     Administrators need to restart Jenkins when enabling or disabling the CSRF
     protection configuration to apply the change to Monitoring Plugin.

Clickjacking vulnerability in Monitoring Plugin

SECURITY-1154

Monitoring Plugin did not set the X-Frame-Options header, allowing its pages to
be embedded. This could result in clickjacking attacks.

Monitoring Plugin now sets the X-Frame-Options header to sameorigin, preventing
embedding.

XSS vulnerability in Warnings Next Generation Plugin

SECURITY-1271 / CVE pending

Warnings Next Generation Plugin did not properly escape HTML content in
warnings displayed on the Jenkins UI, resulting in a cross-site scripting
vulnerability exploitable by users able to control warnings parser input.

Warnings Next Generation Plugin now removes unsafe HTML content from warnings.

Severity

  o SECURITY-602: low
  o SECURITY-797: medium
  o SECURITY-818: medium
  o SECURITY-859: high
  o SECURITY-886: low
  o SECURITY-905 (1): high
  o SECURITY-905 (2): medium
  o SECURITY-1095: low
  o SECURITY-1102: medium
  o SECURITY-1153: medium
  o SECURITY-1154: low
  o SECURITY-1201: medium
  o SECURITY-1204: medium
  o SECURITY-1253: medium
  o SECURITY-1271: medium
  o SECURITY-1292: high
  o SECURITY-1293: high
  o SECURITY-1295 (1): high
  o SECURITY-1295 (2): high
  o SECURITY-1302: medium

Affected Versions

  o Active Directory Plugin up to and including 2.10
  o Blue Ocean Plugin up to and including 1.10.1
  o Config File Provider Plugin up to and including 3.4.1
  o Git Plugin up to and including 3.9.1
  o GitHub Authentication Plugin up to and including 0.29
  o Groovy Plugin up to and including 2.0
  o Job Import Plugin up to and including 2.1
  o Job Import Plugin up to and including 3.0
  o Kanboard Plugin up to and including 1.5.10
  o Monitoring Plugin up to and including 1.74.0
  o OpenId Connect Authentication Plugin up to and including 1.4
  o Script Security Plugin up to and including 1.50
  o Token Macro Plugin up to and including 2.5
  o Warnings Plugin up to and including 5.0.0
  o Warnings Next Generation Plugin up to and including 2.1.1
  o Warnings Next Generation Plugin up to and including 1.0.1

Fix

  o Active Directory Plugin should be updated to version 2.11
  o Blue Ocean Plugin should be updated to version 1.10.2
  o Config File Provider Plugin should be updated to version 3.5
  o Git Plugin should be updated to version 3.9.2
  o GitHub Authentication Plugin should be updated to version 0.31
  o Groovy Plugin should be updated to version 2.1
  o Job Import Plugin should be updated to version 3.0
  o Job Import Plugin should be updated to version 3.1
  o Kanboard Plugin should be updated to version 1.5.11
  o Monitoring Plugin should be updated to version 1.75.0
  o OpenId Connect Authentication Plugin should be updated to version 1.5
  o Script Security Plugin should be updated to version 1.51
  o Token Macro Plugin should be updated to version 2.6
  o Warnings Plugin should be updated to version 5.0.1
  o Warnings Next Generation Plugin should be updated to version 2.1.2
  o Warnings Next Generation Plugin should be updated to version 2.0.0

These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:

  o Adam Willard for SECURITY-1253
  o Chris Jacobs, Comscore, Inc., Systems Engineer for SECURITY-859
  o Daniel Beck, CloudBees, Inc. for SECURITY-1153, SECURITY-1154,
    SECURITY-1302
  o James Nord, CloudBees, Inc. for SECURITY-886
  o Kalle Niemitalo, Procomp Solutions Oy for SECURITY-1271
  o Man Shum ( https://www.instagram.com/evmannn/ ) from Hong Kong for
    SECURITY-1204
  o Mikhail Egorov, security researcher, https://twitter.com/0ang3el for
    SECURITY-1292
  o Oleg Nenashev for SECURITY-1095
  o R. Tyler Croy, CloudBees, Inc. for SECURITY-602
  o Thomas Chauchefoin and Julien Szlamowicz of Synacktiv for SECURITY-905 (1),
    SECURITY-905 (2)
  o Thomas de Grenier de Latour for SECURITY-818
  o Wadeck Follonier, CloudBees, Inc. for SECURITY-797, SECURITY-1201

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXFJLLWaOgq3Tt24GAQh1cBAAwbOxrRy9EOg5aWAKgyx6qRoXwtA362A0
RYqEKEUNGRxUHaQlgH8GAiqPqHVS9Z4vvuw40+yoMKqg0Ajl14TFeVLV6LAkU+io
mmhtrCGlcbsK5FITaqL1MZ6smTfIb4MzB5vBAgHc7UR5F5LvEwYhxvxSRUJ1KhIj
ivr5Z2CLTZveu6iFD40Z5Uiw0OYaiGiXy0iIFoTf1uEHeSBGldkbmePgvz9QO98v
kkI+fWkW6dq00iOS8oRIieTigir1K9xTSJuB6io6hbEzsAGlwO3uR3KNOhIGkKwD
X7vAHQ/CKHdZqd4efUJ5SUjD7tnr5Pkd+2A+CXT99wjcliNJUQJAv+V9or+7R9my
qswVwJYHtcv/bZQtf5mpPmvO6s8bvRTXIw144VDqMMMV+fmDsO9xtBtzs2wBASI5
jQf7e7m+MqCp9A1xj9Qud0Yy0VfXW1i5nuE6OUC8mKrbN/YcuISaBBGvB0xMSkZx
MOyc2dCkZEPZpgI9a3O+Q3g+AzrVyFpIUKDsI2Gk4F/NonyFwNtzjpHwrn4Q7TXT
wynWiytLKmwc4HRGasU4ipRMYP0NzbC9pc7Fk7vgq2FbZX9wjdV1RtKNjf9CbRmT
2PgGuJ8OIiS3M4V2dS6kr1HLCeD/KivLbEQKOApfbbw6VlFyv3StT+8FMRpAc/6B
etHpw8t+KhU=
=Dqwn
-----END PGP SIGNATURE-----

« Back to bulletins