Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3094 Jenkins Security Advisory 2018-10-10 12 October 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Jenkins core Publisher: Jenkins Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Access Privileged Data -- Existing Account Create Arbitrary Files -- Existing Account Cross-site Scripting -- Remote with User Interaction Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-1999043 Original Bulletin: https://jenkins.io/security/advisory/2018-10-10/ - --------------------------BEGIN INCLUDED TEXT-------------------- Jenkins Security Advisory 2018-10-10 This advisory announces vulnerabilities in the following Jenkins deliverables: o Jenkins (core) Descriptions Path traversal vulnerability in Stapler allowed accessing internal data SECURITY-867 / CVE pending A path traversal vulnerability in Stapler allowed viewing routable objects with views defined on any type. This could be used to access internal data of routable objects, commonly by showing their string representation (#toString ()). Arbitrary file write vulnerability using file parameter definitions SECURITY-1074 / CVE pending Users with Job/Configure permission could specify a relative path escaping the base directory in the file name portion of a file parameter definition. This path would be used to archive the uploaded file on the Jenkins master, resulting in an arbitrary file write vulnerability. File parameters that escape the base directory are no longer accepted and the build will fail. Reflected XSS vulnerability SECURITY-1129 / CVE pending The wrapper query parameter for the XML variant of the Jenkins remote API did not validate the specified tag name. This resulted in a reflected cross-site scripting vulnerability. Only legal XML tag names are now allowed for the wrapper query parameter. Ephemeral user record was created on some invalid authentication attempts SECURITY-1162 / CVE-2018-1999043 When attempting to authenticate using API token, an ephemeral user record was created to validate the token in case an external security realm was used, and the user record in Jenkins not previously saved, as (legacy) API tokens could exist without a persisted user record. This behavior could be abused to create a large number of ephemeral user records in memory. This is the same vulnerability as SECURITY-672. The fix for SECURITY-672 was previously incorrectly applied and therefore not effective. This has been fixed. Ephemeral user record creation SECURITY-1128 / CVE pending By accessing a specific crafted URL on Jenkins instances using Jenkins' own user database, users without Overall/Read access could create ephemeral user records. This behavior could be abused to create a large number of ephemeral user records in memory. Accessing this URL now no longer results in a user record getting created. Session fixation vulnerability on user signup SECURITY-1158 / CVE pending When signing up for a new user account on instances using Jenkins' own user database, Jenkins did not invalidate the existing session and create a new one. This allowed session fixation. Jenkins now invalidates the existing session and creates a new one when logging in after user signup. Failures to process form submission data could result in secrets being displayed or written to logs SECURITY-765 / CVE pending When Jenkins fails to process form submissions due to an internal error, the error message shown to the user and written to the log typically includes the serialized JSON form submission. Secrets, such as submitted passwords, might be included with the JSON object, and shown or written to disk in plain text. Jenkins now masks values in these error messages from view if they were shown on the UI as password form fields. Severity o SECURITY-765: low o SECURITY-867: medium o SECURITY-1074: medium o SECURITY-1128: medium o SECURITY-1129: medium o SECURITY-1158: medium o SECURITY-1162: medium Affected Versions o Jenkins weekly up to and including 2.145 o Jenkins LTS up to and including 2.138.1 Fix o Jenkins weekly should be updated to version 2.146 o Jenkins LTS should be updated to version 2.138.2 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: o Apple Information Security for SECURITY-867 o Evan Grant of Tenable for SECURITY-1128, SECURITY-1129 o Oleg Nenashev for SECURITY-1074 o Sam Gleske for SECURITY-765 o Wadeck Follonier, CloudBees, Inc. for SECURITY-1158 o Zhao Xiaojie for SECURITY-1162 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW7/dWWaOgq3Tt24GAQjmBRAA253pwzy+/8PWLZMJ8XtVxshpfCUUuNIx ExWR6RIyecoid7A7M1XIfAmeDq1W8qDtHbzIHeU8nFSNDrJz95d+xQAVb/Is9lOy ILfR23fN3cV6YnQAY7bAw4RaQsr4IeaWLbA1zqMasjIsuKGhbLHWWokdmfzoS9UF 5MG+JRWW8gapL2Xliy+hOY80tXakC3+KB5Sool44iw2ybU4lByMe+dEP8qD78Ky4 VzDJsdcZmCmbfn7qli+uFue/y1LZ4Mw6vcvePLvv+e3oZYmGxXudDs94wzdLAMvP cMgfJQWTsHUqh2JcT0Sy9PevrDJO+uQLOB7XrNmE5XtKqOOAf8GAlvhC64Q5KSmc LdOlBfmrDIopjZlrFyaOUDHZYwSv/gWa+Xxtq1bZQevGJthSNM9m6I6CCS1eQ7ek J50bt6R68bLoD/QZA5ebKG2qjPLY3LqOr+IdzN6V7v7N9JbYgcTI+45JjE6Hk9Dy nT++P2Zlk3FcE1dfXNDEW7JBZ1u/MVKb+uAqTZgf05aFF+0fSpPFRBl2oxDNjJpB uAWqQscv2pbfp/jkcI1Pit55+xPq9NTY556PUXn1j9gpguQQYa1pfyOtzyFLvmbf efxMJRAm2MRW6CaKuKk+ExaMdSSdPdRToABIKBUS5+niaPXnKqb4j1kpOPrxsg5R nR/0clSObxs= =wqez -----END PGP SIGNATURE-----