12 October 2017
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2563 Jenkins Security Advisory 2017-10-11 12 October 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Jenkins Publisher: Jenkins Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Access Privileged Data -- Existing Account Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-3092 CVE-2012-6153 Reference: ASB-2017.0119 ASB-2017.0116 ESB-2017.2415 ESB-2017.1595 Original Bulletin: https://jenkins.io/security/advisory/2017-10-11/ - --------------------------BEGIN INCLUDED TEXT-------------------- Jenkins Security Advisory 2017-10-11 This advisory announces multiple vulnerabilities in Jenkins (weekly and LTS), and these plugins: Maven Plugin Swarm Plugin Client Speaks! Plugin Description Arbitrary shell command execution on master by users with Agent-related permissions SECURITY-478 / CVE pending Users with permission to create or configure agents in Jenkins could configure a launch method called Launch agent via execution of command on master. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators. A known limitation of this fix is that users without the Run Scripts permission are no longer able to configure agents with this launch method at all, even if the launch method remains unchanged. A future release of Jenkins will move this launch method into a separate plugin. That plugin will depend on Script Security Plugin to secure this field and restore the ability of users without the Run Scripts permission to configure an agent with this launch method. Jenkins core bundled vulnerable version of the commons-fileupload library SECURITY-490 / CVE pending Jenkins bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins. "User" remote API disclosed users' email addresses SECURITY-514 / CVE pending Information about Jenkins user accounts is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator or the user themselves. Jenkins core bundled vulnerable version of the commons-httpclient library SECURITY-555 / CVE pending Jenkins bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins. Maven Plugin bundled vulnerable version of the commons-httpclient library SECURITY-557 / CVE pending Maven Plugin bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. Maven Plugin 3.0 no longer has a dependency on commons-httpclient. Swarm Plugin Client bundled vulnerable version of the commons-httpclient library SECURITY-597 / CVE pending Swarm Plugin Client bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. The fix for CVE-2012-6153 was backported to the version of commons-httpclient bundled in Swarm Plugin Client. IMPORTANT: Please note that Swarm Plugin Client needs to be updated independently from the plugin. Updating just the plugin will not resolve the security vulnerability. "Computer" remote API disclosed information about inaccessible jobs SECURITY-611 / CVE pending The remote API at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Job/Read permission. This has been fixed, and the API now only shows information about accessible tasks. "Queue Item" remote API disclosed information about inaccessible jobs SECURITY-618 / CVE pending The remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Job/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to. "Job" remote API disclosed information about inaccessible upstream/downstream jobs SECURITY-617 / CVE pending The remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Job/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to. Form validation for password fields was sent via GET SECURITY-616 / CVE pending The Jenkins default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, with the password in the request body, which is typically not logged. Arbitrary code execution vulnerability in Speaks! Plugin SECURITY-623 / CVE pending This plugin allows users with Job/Configure permission to run arbitrary Groovy code inside the Jenkins JVM, effectively elevating privileges to Overall/Run Scripts. As of publication of this advisory, there is no fix. Severity SECURITY-478: high SECURITY-490: high SECURITY-514: medium SECURITY-555: medium SECURITY-557: medium SECURITY-597: medium SECURITY-611: medium SECURITY-616: low SECURITY-617: medium SECURITY-618: medium SECURITY-623: high Affected versions Jenkins weekly up to and including 2.83 Jenkins LTS up to and including 2.73.1 Maven Plugin up to and including 2.17 All versions of Speaks! Plugin Swarm Plugin (Client) up to and including 3.4 Fix Jenkins weekly should be updated to 2.84 Jenkins LTS should be updated to 2.73.2 Maven Plugin should be updated to 3.0 Swarm Plugin (Client) should be updated to 3.5 These versions include fixes to the vulnerabilities described above. All prior versions are affected by these vulnerabilities unless otherwise indicated. As of publication of this advisory, there is no fix available for Speaks! Plugin. Its distribution has been suspended. Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: Ben Walding, CloudBees, Inc. for SECURITY-616 Daniel Beck, CloudBees, Inc. for SECURITY-478, SECURITY-611, SECURITY-623 Jesse Glick, CloudBees, Inc. for SECURITY-617, SECURITY-618 Other Resources Announcement blog post - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWd7WdIx+lLeg9Ub1AQh1vg//Rl4NHxa1PSzL5fhvRK0k8X/V2+UEt9+4 VHzjokcJNJlRv/fr4by4IpIQ5TchMPN9RS7ANFwwIqLEEqjSyCSL7aQ2YG648JoO GBd4/ZVtx46Lzk5dyqpCqgwfw8qsAtSHD0qI/of9o/h1ewK6F1/AEaQIRFcn3lmZ xud8aNAu6imqhaRBX/2yf140vGe1PWRWOctVaOFZMDBLjRQR00EwebKHhChzehVY oCaJhu9egNyzKaL0bCPAcaUwDxAfBP3RinEtMMsftDmIGzpds08b+UW3azpl06+B LYDNOgkB4DluJYgIkfOwRsJMSruBRXUcAPPJiQtYM0Ez5kaonuP7Wkm9Awppvgq3 81ILF5eQ3NSAXPgiWPzXSyuRVowS76XrVWuMAxccv2i6/sMQImXSOpxDimyu5bnr +XITcLIRsBESWQrf7EJNra7rbxvkGjbDW+SAzAIf4NxpqI7KQDRQ4QsxqoFRa7U/ lAq5WJHaazpHiBLOd6n/PEnW39arlYnuZM8dOp8OiHxAf0wdeE7UETp8A+eMwS0W xS85pmu/LAepFHlOr4HZV/h103XVhxNWq2wq+IQVvLa3UXziHS/QRP08AFOw848q OBrThJJ8s8/xi5jBaNgSiXGlYbvvJ1rIeSp9LjH5V8H8SambAMfgzV7YWfPtb/za qSSACz6+zAk= =+0xl -----END PGP SIGNATURE-----