Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

                   Jenkins Security Advisory 2020-01-29
                              30 January 2020


        AusCERT Security Bulletin Summary

Product:           Jenkins core
                   Jenkins plugins
Publisher:         Jenkins
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Access Privileged Data -- Existing Account      
                   Cross-site Scripting   -- Remote/Unauthenticated
                   Denial of Service      -- Remote/Unauthenticated
                   Read-only Data Access  -- Remote/Unauthenticated
                   Unauthorised Access    -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-2108 CVE-2020-2107 CVE-2020-2106
                   CVE-2020-2105 CVE-2020-2104 CVE-2020-2103
                   CVE-2020-2102 CVE-2020-2101 CVE-2020-2100

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Jenkins Security Advisory 2020-01-29

This advisory announces vulnerabilities in the following Jenkins deliverables:

  o Jenkins (core)
  o Code Coverage API Plugin
  o Fortify Plugin
  o WebSphere Deployer Plugin


Inbound TCP Agent Protocol/3 authentication bypass

SECURITY-1682 / CVE-2020-2099

Jenkins 2.213 and earlier, LTS 2.204.1 and earlier includes support for the
Inbound TCP Agent Protocol/3 for communication between master and agents. While
this protocol has been deprecated in 2018 and was recently removed from Jenkins
in 2.214, it could still easily be enabled in Jenkins LTS 2.204.1, 2.213, and

This protocol incorrectly reuses encryption parameters which allow an
unauthenticated remote attacker to determine the connection secret. This secret
can then be used to connect attacker-controlled Jenkins agents to the Jenkins

Jenkins 2.204.2 no longer allows for the use of Inbound TCP Agent Protocol/3 by
default. The system property
jenkins.slaves.JnlpSlaveAgentProtocol3.ALLOW_UNSAFE can be set to true to allow
enabling the Inbound TCP Agent Protocol/3 in Jenkins 2.204.2, but doing so is
strongly discouraged.

Inbound TCP Agent Protocol/3 was removed completely from Jenkins 2.214 and will
not be part of Jenkins LTS after the end of the 2.204.x line.

Jenkins vulnerable to UDP amplification reflection attack

SECURITY-1641 / CVE-2020-2100

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier supports two network
discovery services (UDP multicast/broadcast and DNS multicast) by default.

The UDP multicast/broadcast service can be used in an amplification reflection
attack, as very few bytes sent to the respective endpoint result in much larger
responses: A single byte request to this service would respond with more than
100 bytes of Jenkins metadata which could be used in a DDoS attack on a Jenkins
master. Within the same network, spoofed UDP packets could also be sent to make
two Jenkins masters go into an infinite loop of replies to one another, thus
causing a denial of service.

Jenkins 2.219, LTS 2.204.2 now disables both UDP multicast/broadcast and DNS
multicast by default.

Administrators that need these features can re-enable them again by setting the
system property hudson.DNSMultiCast.disabled to false (for DNS multicast) or
the system property hudson.udp to 33848, or another port (for UDP broadcast/
multicast). These are the same system properties that controlled whether these
features were enabled in the past, so any instances explicitly enabling these
features by setting these system properties will continue to have them enabled.

Non-constant time comparison of inbound TCP agent connection secret

SECURITY-1659 / CVE-2020-2101

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time
comparison validating the connection secret when an inbound TCP agent
connection is initiated. This could potentially allow attackers to use
statistical methods to obtain the connection secret.

Jenkins 2.219, LTS 2.204.2 now uses a constant-time comparison function for
verifying connection secrets.

Non-constant time HMAC comparison

SECURITY-1660 / CVE-2020-2102

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time
comparison when checking whether two HMACs are equal. This could potentially
allow attackers to use statistical methods to obtain a valid HMAC for an
attacker-controlled input value.

Jenkins 2.219, LTS 2.204.2 now uses a constant-time comparison when validating

Diagnostic page exposed session cookies

SECURITY-1695 / CVE-2020-2103

Jenkins shows various technical details about the current user on the /whoAmI
page. In a previous fix, the Cookie header value containing the HTTP session ID
was redacted. However, user metadata shown on this page could also include the
HTTP session ID in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier.

This allows attackers able to exploit a cross-site scripting vulnerability to
obtain the HTTP session ID value from this page.

Jenkins 2.219, LTS 2.204.2 no longer prints out the affected user metadata that
might contain the HTTP session ID.

Additionally, we also redact values of further authentication-related HTTP
headers in addition to Cookie on this page as a hardening.

Memory usage graphs accessible to anyone with Overall/Read

SECURITY-1650 / CVE-2020-2104

Jenkins includes a feature that shows a JVM memory usage chart for the Jenkins

Access to the chart in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier
requires no permissions beyond the general Overall/Read, allowing users who are
not administrators to view JVM memory usage data.

Jenkins 2.219, LTS 2.204.2 now requires Overall/Administer permissions to view
the JVM memory usage chart.

Jenkins REST APIs vulnerable to clickjacking

SECURITY-1704 / CVE-2020-2105

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not serve the
X-Frame-Options: deny HTTP header on REST API responses to protect against
clickjacking attacks. An attacker could exploit this by routing the victim
through a specially crafted web page that embeds a REST API endpoint in an
iframe and tricking the user into performing an action which would allow for
the attacker to learn the content of that REST API endpoint.

Jenkins 2.219, LTS 2.204.2 now adds the X-Frame-Options: deny HTTP header to
REST API responses, which prevents these types of clickjacking attacks.

Stored XSS vulnerability in Code Coverage API Plugin

SECURITY-1680 / CVE-2020-2106

Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the
coverage report used in its view.

This results in a stored cross-site scripting vulnerability that can be
exploited by users able to change the job configuration.

Code Coverage API Plugin 1.1.3 escapes the filename of the coverage report used
in its view.

Fortify Plugin stored credentials in plain text

SECURITY-1565 / CVE-2020-2107

Fortify Plugin 19.1.29 and earlier stored its proxy server password unencrypted
in job config.xml files. This password could be read by users with the Extended
Read permission.

Fortify Plugin 19.2.30 now encrypts the proxy server password.

XXE vulnerability in WebSphere Deployer Plugin

SECURITY-1719 / CVE-2020-2108

WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser
to prevent XML external entity (XXE) attacks. This could be exploited by a user
with Job/Configure permissions to upload a specially crafted war file
containing a WEB-INF/ibm-web-ext.xml which is parsed by the plugin.

As of publication of this advisory, there is no fix.


  o SECURITY-1565: Medium
  o SECURITY-1641: Medium
  o SECURITY-1650: Medium
  o SECURITY-1659: Medium
  o SECURITY-1660: Medium
  o SECURITY-1680: Medium
  o SECURITY-1682: High
  o SECURITY-1695: Medium
  o SECURITY-1704: Low
  o SECURITY-1719: High

Affected Versions

  o Jenkins weekly up to and including 2.218
  o Jenkins LTS up to and including 2.204.1
  o Code Coverage API Plugin up to and including 1.1.2
  o Fortify Plugin up to and including 19.1.29
  o WebSphere Deployer Plugin up to and including 1.6.1


  o Jenkins weekly should be updated to version 2.219
  o Jenkins LTS should be updated to version 2.204.2
  o Code Coverage API Plugin should be updated to version 1.1.3
  o Fortify Plugin should be updated to version 19.2.30

These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.

As of publication of this advisory, no fixes are available for the following

  o WebSphere Deployer Plugin


The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:

  o Adam Thorn, University of Cambridge for SECURITY-1641
  o Cheng Gao, Alibaba Cloud Intelligence Security Team, https://www.aliyun.com
    / for SECURITY-1719
  o Daniel Beck, CloudBees, Inc. for SECURITY-1650, SECURITY-1660
  o Daniel Beck, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc. for
  o Federico Pellegrin for SECURITY-1680
  o James Holderness, IB Boost for SECURITY-1565
  o Jesse Glick, CloudBees, Inc. and, independently, Wasin Saengow for
  o Michele Romano for SECURITY-1704
  o Thijs Alkemade from Computest for SECURITY-1682

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967