Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.1455.2
Jenkins Security Advisory 2019-04-30
1 May 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jenkins plugins
Publisher: Jenkins
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Cross-site Request Forgery -- Remote with User Interaction
Reduced Security -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-10307 CVE-2019-10308 CVE-2019-10317
CVE-2019-10309 CVE-2019-10310 CVE-2019-10311
CVE-2019-10312 CVE-2019-10318 CVE-2019-10313
CVE-2019-10314 CVE-2019-10315 CVE-2019-10316
Original Bulletin:
https://jenkins.io/security/advisory/2019-04-30/
Revision History: May 1 2019: Security Advisory Released
April 30 2019: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Jenkins Security Advisory 2019-04-30
This advisory announces vulnerabilities in the following Jenkins
deliverables:
* Ansible Tower Plugin
* Aqua MicroScanner Plugin
* Azure AD Plugin
* GitHub Authentication Plugin
* Koji Plugin
* Self-Organizing Swarm Plug-in Modules Plugin
* SiteMonitor Plugin
* Static Analysis Utilities Plugin
* Twitter Plugin
Descriptions
CSRF vulnerability and missing permission check allowed changing default graph
configuration in Static Analysis Utilities Plugin
SECURITY-1100 / CVE-2019-10307 (CSRF) and CVE-2019-10308 (permission
check)
Static Analysis Utilities Plugin has the capability to allow other plugins
to display trend graphs for their static analysis results. Static Analysis
Utilities Plugin provides the configuration form for the default settings
of each graph.
The configuration form and form submission handler did not perform a
permission check, allowing attackers with Job/Read access to change the
per-job graph configuration defaults for all users.
Additionally, the form submission handler did not require POST requests,
resulting in a cross-site request forgery vulnerability.
Static Analysis Utilities Plugin now requires Job/Configure permission and
POST requests to configure the per-job graph defaults for all users.
SiteMonitor Plugin globally and unconditionally disables SSL/TLS certificate
validation
SECURITY-930 / CVE-2019-10317
SiteMonitor Plugin unconditionally disables SSL/TLS certificate validation
for the entire Jenkins master JVM.
SiteMonitor Plugin no longer does that. Instead, it now has an opt-in
option to ignore SSL/TLS errors for each site check individually.
XXE vulnerability via UDP broadcast response in Self-Organizing Swarm Plug-in
Modules Plugin client
SECURITY-1252 / CVE-2019-10309
Self-Organizing Swarm Plug-in Modules Plugin allows clients to
auto-discover Jenkins instances on the same network through a UDP
discovery request. Responses to this request are XML documents.
Self-Organizing Swarm Plug-in Modules Plugin does not configure the XML
parser in a way that would prevent XML External Entity (XXE) processing.
This allows unauthenticated attackers on the same network to have Swarm
clients parse a maliciously crafted XML response that uses external
entities to read arbitrary files from the Swarm client or
denial-of-service attacks.
As of publication of this advisory, there is no fix.
CSRF vulnerability and missing permission check in Ansible Tower Plugin
allowed capturing credentials
SECURITY-1355 (1) / CVE-2019-10310 (CSRF) and CVE-2019-10311 (permission
check)
Ansible Tower Plugin did not perform permission checks on a method
implementing form validation. This allowed users with Overall/Read access
to Jenkins to connect to an attacker-specified URL using
attacker-specified credentials IDs obtained through another method,
capturing credentials stored in Jenkins.
Additionally, this form validation method did not require POST requests,
resulting in a cross-site request forgery vulnerability.
This form validation method now requires POST requests and
Overall/Administer permissions.
Users with Overall/Read access are able to enumerate credential IDs in Ansible
Tower Plugin
SECURITY-1355 (2) / CVE-2019-10312
Ansible Tower Plugin provides a list of applicable credential IDs to allow
users configuring the plugin to select the one to use.
This functionality did not check permissions, allowing any user with
Overall/Read permission to get a list of valid credentials IDs. Those
could be used as part of an attack to capture the credentials using
another vulnerability.
An enumeration of credentials IDs in this plugin now requires
Overall/Administer permission.
Azure AD Plugin stored credentials in plain text
SECURITY-1390 / CVE-2019-10318
Azure AD Plugin stored the client secret unencrypted in the global
config.xml configuration file on the Jenkins master. These credentials
could be viewed by users with access to the master file system.
Azure AD Plugin now stores the client secret encrypted.
Twitter Plugin stores credentials in plain text
SECURITY-1143 / CVE-2019-10313
Twitter Plugin stores credentials unencrypted in its global configuration
file on the Jenkins master. These credentials could be viewed by users
with access to the master file system.
As of publication of this advisory, there is no fix.
Koji Plugin globally and unconditionally disables SSL/TLS certificate
validation
SECURITY-936 / CVE-2019-10314
Koji Plugin unconditionally disables SSL/TLS certificate validation for
the entire Jenkins master JVM.
As of publication of this advisory, there is no fix.
CSRF vulnerability in OAuth callback in GitHub Authentication Plugin
SECURITY-443 / CVE-2019-10315
GitHub Authentication Plugin did not manage the state parameter of OAuth
to prevent CSRF. This allowed an attacker to catch the redirect URL
provided during the authentication process using OAuth and send it to the
victim. If the victim was already connected to Jenkins, their Jenkins
account would be attached to the attacker's GitHub account.
The state parameter is now correctly managed.
Aqua MicroScanner Plugin stored credentials in plain text
SECURITY-1380 / CVE-2019-10316
Aqua MicroScanner Plugin stored credentials unencrypted in its global
configuration file on the Jenkins master. These credentials could be
viewed by users with access to the master file system.
Aqua MicroScanner Plugin now stores credentials encrypted.
Severity
* SECURITY-443: Medium
* SECURITY-930: Medium
* SECURITY-936: Medium
* SECURITY-1100: Medium
* SECURITY-1143: Low
* SECURITY-1252: Medium
* SECURITY-1355 (1): Medium
* SECURITY-1355 (2): Medium
* SECURITY-1380: Low
* SECURITY-1390: Low
Affected Versions
* Ansible Tower Plugin up to and including 0.9.1
* Aqua MicroScanner Plugin up to and including 1.0.5
* Azure AD Plugin up to and including 0.3.3
* GitHub Authentication Plugin up to and including 0.31
* Koji Plugin up to and including 0.3
* Self-Organizing Swarm Plug-in Modules Plugin up to and including 3.15
* SiteMonitor Plugin up to and including 0.5
* Static Analysis Utilities Plugin up to and including 1.95
* Twitter Plugin up to and including 0.7
Fix
* Ansible Tower Plugin should be updated to version 0.9.2
* Aqua MicroScanner Plugin should be updated to version 1.0.6
* Azure AD Plugin should be updated to version 0.3.4
* GitHub Authentication Plugin should be updated to version 0.32
* SiteMonitor Plugin should be updated to version 0.6
* Static Analysis Utilities Plugin should be updated to version 1.96
These versions include fixes to the vulnerabilities described above. All
prior versions are considered to be affected by these vulnerabilities
unless otherwise indicated.
As of publication of this advisory, no fixes are available for the
following plugins:
* Koji Plugin
* Self-Organizing Swarm Plug-in Modules Plugin
* Twitter Plugin
Credit
The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:
* Daniel Beck, CloudBees, Inc. for SECURITY-930, SECURITY-936
* Mark Combellack, CafeX Communications for SECURITY-1390
* Oleg Nenashev, CloudBees, Inc. for SECURITY-1100
* Peter Adkins of Cisco Umbrella for SECURITY-1252, SECURITY-1355 (1),
SECURITY-1355 (2)
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIUAwUBXMjtfGaOgq3Tt24GAQjWlw/3daWOojn6MhBqtayQX1AgOH/p3TYpIb5m
SUznMIW1x0yUMA4MP0zFYkepBJXZINdXrvjb9fgmiy0J+p8j8kI9eL4d3e5aXt7y
DOjw4DkFEG4hTG1REbycGhi50I1+ZWk1GvQF9tNMyeow5Yvc/rykx65xH9ZaQ8kT
T/KUp0A3zEfxpP9kORwstvS3IcWJHh7/MP03nY1R6dXoNxlKGpEce8wNOFhCjFtc
qqQYs5oPzt7P01nlj4glj0dDW9iszUn164RmXXQM7fXHDuBQHJLPoqQRAHrhwjKw
jkLcAx0VKCz2sHl4jYPU/h8OWglRS/TMRe0hk7hGsn+KOzp5odBGT3fx9He3Vz/9
zirkVKILGDlUHVuqEJpf9p4rhw7GOHPx9nF7p5c6u0cJ1LzG3cwOpaYXQbARIRN9
U/4MY5eictqHBdpIT5X0N/fHEvrh2/3RRy9huQjUB+5GxPmyiBGzrNdA/tFa3XY9
9u3VakiXhCIijoh2Fl9EaC/aJLyTxfqO8Ybx2qRemz3yU/sDtxKXFzgfft5ftI5r
VryHU4kkcdoP9KFAX6BACDxcLvukFbs1OIvj5AfulRYd9X1Jd6VIKQD2wgdgU+zj
xLsRA2FBQ1Os1nUIji1MrEBvkGMh7nK+jQ8QU103OF7p+WeVEqI532QXBAiHNefc
32vrqQMP2g==
=GzaX
-----END PGP SIGNATURE-----