Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3262 Jenkins Security Advisory 2019-08-28 29 August 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Jenkins Jenkins Splunk plugin Jenkins IBM Application Security on Cloud plugin Publisher: Jenkins Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Existing Account Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-10390 CVE-2019-10384 CVE-2019-10383 Reference: ESB-2019.2674 Original Bulletin: https://jenkins.io/security/advisory/2019-08-28/ - --------------------------BEGIN INCLUDED TEXT-------------------- Jenkins Security Advisory 2019-08-28 This advisory announces vulnerabilities in the following Jenkins deliverables: * Jenkins (core) * IBM Application Security on Cloud Plugin * Splunk Plugin Descriptions Stored XSS vulnerability in update center SECURITY-1453 / CVE-2019-10383 Jenkins did not properly escape the update site URL in some status messages shown in the update center, resulting in a stored cross-site scripting vulnerability that is exploitable by administrators and affects other administrators. Jenkins now escapes the update site URL in status messages shown in the update center. CSRF protection tokens for anonymous users did not expire in some circumstances SECURITY-1491 / CVE-2019-10384 Jenkins allowed the creation of CSRF tokens without a corresponding web session ID. This is the result of an incomplete fix for SECURITY-626 in the 2019-07-17 security advisory. This allowed attackers able to obtain a CSRF token without associated session ID to implement CSRF attacks with the following constraints: * The token had to be created for the anonymous user (and could only be used for actions the anonymous user can perform). * The victim?s IP address needed to remain unchanged (unless the proxy compatibility option was enabled). * The victim must not have a valid web session at the time of the attack. CSRF token generation now creates a web session if none exists yet, so that the lack of a web session ID cannot be exploited. This fix may impact scripts that obtain a crumb from the crumb issuer API. Note They may need to be updated to retain the session ID for subsequent requests. For further information, see the LTS upgrade guide. As a workaround, administrators can remove any permissions granted to the anonymous user so that no privileged actions can be taken. Alternatively, the Strict Crumb Issuer Plugin can be used instead of the built-in default crumb issuer to prevent this issue, because the vulnerability is not present in the plugin. Sandbox Bypass in Splunk Plugin SECURITY-1294 / CVE-2019-10390 Splunk Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. This allowed attackers with Overall/Read access to execute arbitrary code on the Jenkins master by applying AST transforming annotations such as @Grab to source code elements. The affected HTTP endpoint now applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations. IBM Application Security on Cloud Plugin showed plain text password in job configuration form fields SECURITY-1512 / CVE pending IBM Application Security on Cloud Plugin stores service passwords in job configurations. While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations. IBM Application Security on Cloud Plugin no longer transmits the password form field in plain text. Severity * SECURITY-1294: High * SECURITY-1453: Medium * SECURITY-1491: High * SECURITY-1512: low Affected Versions * Jenkins weekly up to and including 2.191 * Jenkins LTS up to and including 2.176.2 * IBM Application Security on Cloud Plugin up to and including 1.2.4 * Splunk Plugin up to and including 1.7.4 Fix * Jenkins weekly should be updated to version 2.192 * Jenkins LTS should be updated to version 2.176.3 * IBM Application Security on Cloud Plugin should be updated to version 1.2.5 * Splunk Plugin should be updated to version 1.8.0 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: * James Holderness, IB Boost for SECURITY-1512 * Jesper den Boer for SECURITY-1453 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXWclAmaOgq3Tt24GAQiJnRAAgPWg8f4KpVCGTIGCKz2x41eP65eOND6c Ox67w+S+g5nWLo6C4zXnYXq7PCI9CHqr5RWmZVj1JCduF1GalmxhW83WGeNc0qhe 8aCDVM5fkmTO4Od9LPjVXdu4OFYlxZrfRV3DrLgBTLaUmcY785n5OVnNNacKgTmc r2Sc7Bdm/jLzEZoxJAZG4ULcl1G+lc7ZZV0JGe1iyZMSdjEyorcrWcmxj/7bapC0 LA2Ay94BzEED4IHCflXP490Z26EZqyK7MA61xQJKCQZS7wsnt9Rm8vKC7XRFelGN gREOvx78kU7NtBoSL07L7+2c5NSrX4x2dHWLk8EyZiCAc/COZyoJyZRUeJwcLf8g pHp1JeI96j0Y+Oni60FLKpD0feV7+OP/d6LgXbmg3MndLr9MKd0482Pou1ovwP4s DccV05uMaw5RW90LZ1hGymrYWY13PDpP3fjyLfzMLdGzalvc1fs+6Uw9Appbv+ib uPJlAW7SXh+HKd2SORb3TIvxkhGFLzdljF1qPYRo7IaNAH4jdchdOd90tQOWZ87P xGNwYlE6rm50FlKQxaUzPWeZlzaNCxzi3aPsVgUJJIjdF33SPDVKnu5uv4v+lSya aiy5tFQrW0xBCWg/+8AoVp9PEk+N0AvKeC367044EKRSSf9FZZP+p0veOAD07+fW GheFd0B1PdI= =8XEj -----END PGP SIGNATURE-----