-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4420
                   Jenkins Security Advisory 2019-11-21
                             22 November 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Jenkins plugins
Publisher:         Jenkins
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account            
                   Delete Arbitrary Files          -- Existing Account            
                   Cross-site Scripting            -- Remote with User Interaction
                   Access Confidential Data        -- Existing Account            
                   Unauthorised Access             -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-16548 CVE-2019-16547 CVE-2019-16546
                   CVE-2019-16545 CVE-2019-16544 CVE-2019-16543
                   CVE-2019-16542 CVE-2019-16541 CVE-2019-16540
                   CVE-2019-16539 CVE-2019-16538 

Original Bulletin: 
   https://jenkins.io/security/advisory/2019-11-21/

- --------------------------BEGIN INCLUDED TEXT--------------------

Jenkins Security Advisory 2019-11-21

This advisory announces vulnerabilities in the following Jenkins deliverables:

  o Anchore Container Image Scanner Plugin
  o Google Compute Engine Plugin
  o JIRA Plugin
  o QMetry for JIRA - Test Management Plugin
  o Script Security Plugin
  o Spira Importer Plugin
  o Support Core Plugin

Descriptions

Sandbox bypass vulnerability in Script Security Plugin

SECURITY-1658 / CVE-2019-16538

Sandbox protection in Script Security Plugin could be circumvented through
closure default parameter expressions.

This allowed attackers able to specify and run sandboxed scripts to execute
arbitrary code in the context of the Jenkins master JVM.

These expressions are now subject to sandbox protection.

Support Core Plugin allowed users with Overall/Read permission to delete
arbitrary files

SECURITY-1634 / CVE-2019-16539 (permission check), CVE-2019-16540 (path
traversal)

Support Core Plugin did not validate the paths submitted for the "Delete
Support Bundles" feature. This allowed users to delete arbitrary files on the
Jenkins master file system accessible to the OS user account running Jenkins.

Additionally, this endpoint did not perform a permission check, allowing users
with Overall/Read permission to delete support bundles, and any arbitrary other
file, with a known name/path.

Support Core Plugin now only allows the deletion of support bundles and related
files listed on the UI through this feature. It also ensures that only users
with "Download Bundle" permission are able to delete support bundles.

Folder-scoped Jira sites in JIRA Plugin were able to access System-scoped
credentials

SECURITY-1106 / CVE-2019-16541

JIRA Plugin allows the definition of per-folder Jira sites.

The credentials lookup for this feature did not set the appropriate context,
allowing the use of System-scoped credentials otherwise reserved for use in the
global configuration. This allowed users with Item/Configure permission on the
folder to access credentials they're not entitled to, and potentially capture
them.

JIRA Plugin now defines the appopriate folder context for credential lookup. As
a side effect, existing per-folder Jira sites may lose access to already
configured System-scoped credentials, as if no credential was specified in the
first place.

Anchore Container Image Scanner Plugin stored credentials in plain text

SECURITY-1539 / CVE-2019-16542

Anchore Container Image Scanner Plugin stored an Anchore.io service password
unencrypted in job config.xml files as part of its configuration. This
credential could be viewed by users with Extended Read permission or access to
the master file system.

As the affected functionality has been deprecated, and the affected Anchore.io
service has been shut down in late 2018, the affected feature has been removed.
The password will be removed from the job configuration once it is saved again.

Spira Importer Plugin stored credentials in plain text

SECURITY-1554 / CVE-2019-16543

Spira Importer Plugin stored a credential unencrypted in its global
configuration file com.inflectra.spiratest.plugins.SpiraBuilder.xml on the
Jenkins master. This credential could be viewed by users with access to the
master file system.

Spira Importer Plugin now stores this credential encrypted once its
configuration is saved again.

Google Compute Engine Plugin did not verify SSH host keys

SECURITY-1584 / CVE-2019-16546

Google Compute Engine Plugin did not use SSH host key verification when
connecting to VMs launched by the plugin. This lack of verification could be
abused by a MitM attacker to intercept these connections to attacker-specified
build agents without warning.

Google Compute Engine Plugin now verifies SSH host keys before executing any
commands on agents.

Google Compute Engine Plugin disclosed environment information to users with
Overall/Read permission

SECURITY-1585 / CVE-2019-16547

Google Compute Engine Plugin did not verify permissions on multiple
auto-complete API endpoints. This allowed users with Overall/Read permissions
to view various metadata about the running cloud environment.

Google Compute Engine Plugin now requires the appropriate Job/Configure
permission to view these metadata.

CSRF vulnerability in Google Compute Engine Plugin allowed provisioning agents

SECURITY-1586 / CVE-2019-16548

Google Compute Engine Plugin did not require POST requests on an API endpoint.
This CSRF vulnerability allowed attackers to provision new agents.

Google Compute Engine Plugin now requires POST requests for this API endpoint.

QMetry for JIRA - Test Management Plugin stored credentials in plain text

SECURITY-727 (1) / CVE-2019-16544

QMetry for JIRA - Test Management Plugin stored credentials unencrypted in job
config.xml files on the Jenkins master as part of its post-build step
configuration. This credential could be viewed by users with Extended Read
permission or access to the master file system.

QMetry for JIRA - Test Management Plugin now stores these credentials encrypted
once the job configuration is saved again.

QMetry for JIRA - Test Management Plugin shows plain text password in
configuration form

SECURITY-727 (2) / CVE-2019-16545

QMetry for JIRA - Test Management Plugin stores a credential as part of its
post-build step configuration.

While the password is stored encrypted on disk since QMetry for JIRA - Test
Management Plugin 1.13, it is transmitted in plain text as part of the
configuration form. This can result in exposure of the password through browser
extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

Severity

  o SECURITY-727 (1): Medium
  o SECURITY-727 (2): Low
  o SECURITY-1106: Medium
  o SECURITY-1539: Medium
  o SECURITY-1554: Low
  o SECURITY-1584: Medium
  o SECURITY-1585: Medium
  o SECURITY-1586: Medium
  o SECURITY-1634: High
  o SECURITY-1658: High

Affected Versions

  o Anchore Container Image Scanner Plugin up to and including 1.0.19
  o Google Compute Engine Plugin up to and including 4.1.1
  o JIRA Plugin up to and including 3.0.10
  o QMetry for JIRA - Test Management Plugin up to and including 1.12
  o QMetry for JIRA - Test Management Plugin up to and including 1.13
  o Script Security Plugin up to and including 1.67
  o Spira Importer Plugin up to and including 3.2.2
  o Support Core Plugin up to and including 2.63

Fix

  o Anchore Container Image Scanner Plugin should be updated to version 1.0.20
  o Google Compute Engine Plugin should be updated to version 4.2.0
  o JIRA Plugin should be updated to version 3.0.11
  o QMetry for JIRA - Test Management Plugin should be updated to version 1.13
  o Script Security Plugin should be updated to version 1.68
  o Spira Importer Plugin should be updated to version 3.2.3
  o Support Core Plugin should be updated to version 2.64

These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.

As of publication of this advisory, no fixes are available for the following
plugins:

  o QMetry for JIRA - Test Management Plugin

Credit

The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:

  o Daniel Beck, CloudBees, Inc. for SECURITY-1106, SECURITY-1634
  o James Holderness, IB Boost for SECURITY-1539, SECURITY-1554
  o Matt Sicker, CloudBees, Inc. for SECURITY-1584, SECURITY-1585,
    SECURITY-1586
  o Nils Emmerich of ERNW Research GmbH for SECURITY-1658

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXddAO2aOgq3Tt24GAQhG7g//QZP2PshpimF4CXeTj3FD3OPukLzBPG33
XPF6PoSpTR6HWsPX4u6+eeJ117AYXKh3FDQ5Xh9oUhtQvytAABQP015nWVOe3Pa5
IC7kX0+4VV58THxhhH60PIhjIWbU5Mk/UIlbIlv/E+Ln5eviHGbqedg2tS0nQE4p
sRNpbS3CG2hT4qlvKC9Vcn+xSHJpcHPE55jfQNYY4BYl62cMB4EAUI8EsYFJ0aEU
xw3U81WC1bDG28P8A1bf0loohR4wbgaE/vvjo2LsZKUgxLMQukkPcEGBjl4WKvUG
NLmRo6Aa/FpWg+2apflOK9xPfcOPtwPHfWZsenydDKPG5/dXyJNZRNtC1LojIzpU
QfmCiQl1vGz/u8GbSlFBdw9zCffGJRyDJP34UPhafGkurbe+g8czsnJrruvhJFuW
HdD+FyAwgO+bjpUXM+U22A1ee0GVAYLo/vps/oNGnnxE/ctzRdADdaxEU2qlTM78
/F6WTywP5t3UdbZvYGDpkjbuEGZ7QAk0pCwTjXosZcuObDJ+DpVtfVhgWe9wLoyo
QIIc0y46NEmevVLx0xT3D+Hp3TUwglBD7ocR52z0fbcv8cgbE199FXFpjgMHyj1n
KU9J5x274eRJ1G/VT+J4aDI4oCAxyTU3xcNYWzO0DGbjJ1ywZ5cE/qXdhvtR1wru
PY1Vvy8QPS8=
=7a2u
-----END PGP SIGNATURE-----