Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1059
Jenkins Security Advisory 2020-03-25
26 March 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jenkins Core
Jenkins Plugins
Publisher: Jenkins
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Cross-site Request Forgery -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-2171 CVE-2020-2170 CVE-2020-2169
CVE-2020-2168 CVE-2020-2167 CVE-2020-2166
CVE-2020-2165 CVE-2020-2164 CVE-2020-2163
CVE-2020-2162 CVE-2020-2161 CVE-2020-2160
Original Bulletin:
https://jenkins.io/security/advisory/2020-03-25/
- --------------------------BEGIN INCLUDED TEXT--------------------
Jenkins Security Advisory 2020-03-25
This advisory announces vulnerabilities in the following Jenkins deliverables:
o Jenkins (core)
o Artifactory Plugin
o Azure Container Service Plugin
o OpenShift Pipeline Plugin
o Pipeline: AWS Steps Plugin
o Queue cleanup Plugin
o RapidDeploy Plugin
Descriptions
CSRF protection for any URL could be bypassed
SECURITY-1774 / CVE-2020-2160
An extension point in Jenkins allows selectively disabling cross-site request
forgery (CSRF) protection for specific URLs.
Implementations of that extension point received a different representation of
the URL path than the Stapler web framework uses to dispatch requests in
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier. This discrepancy allowed
attackers to craft URLs that would bypass the CSRF protection of any target
URL.
Jenkins now uses the same representation of the URL path to decide whether CSRF
protection is needed for a given URL as the Stapler web framework uses.
In case of problems, administrators can disable this security fix by
Note setting the system property
hudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO to true.
As an additional safeguard, semicolon (;) characters in the path part of a
Note URL are now banned by default. Administrators can disable this protection
by setting the system property
jenkins.security.SuspiciousRequestFilter.allowSemicolonsInPath to true.
Stored XSS vulnerability in label expression validation
SECURITY-1781 / CVE-2020-2161
Users with Agent/Configure permissions can define labels for nodes. These
labels can be referenced in job configurations to restrict where a job can be
run.
In Jenkins 2.227 and earlier, LTS 2.204.5 and earlier, the form validation for
label expressions in job configuration forms did not properly escape label
names, resulting in a stored cross-site scripting (XSS) vulnerability
exploitable by users able to define node labels.
Jenkins now correctly escapes node labels that are shown in form validation on
job configuration pages.
Stored XSS vulnerability in file parameters
SECURITY-1793 / CVE-2020-2162
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier served files uploaded as
file parameters to a build without specifying appropriate
Content-Security-Policy HTTP headers. This resulted in a stored cross-site
scripting (XSS) vulnerability exploitable by users with permissions to build a
job with file parameters.
Jenkins now sets Content-Security-Policy HTTP headers when serving files
uploaded via a file parameter to the same value as used for files in workspaces
and archived artifacts not served using the Resource Root URL.
The system property hudson.model.DirectoryBrowserSupport.CSP can be set to
override the value of Content-Security-Policy headers sent when serving these
files. This is the same system property used for files in workspaces and
archived artifacts unless those are served via the Resource Root URL and works
the same way for file parameters. See Configuring Content Security Policy to
learn more.
Even when Jenkins is configured to serve files in workspaces and archived
Note artifacts using the Resource Root URL (introduced in Jenkins 2.200), file
parameters are not, and therefore still subject to Content-Security-Policy
restrictions.
Stored XSS vulnerability in list view column headers
SECURITY-1796 / CVE-2020-2163
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier processed HTML embedded in
list view column headers. This resulted in a stored cross-site scripting (XSS)
vulnerability exploitable by users able to control the content of column
headers.
The following plugins are known to allow users to define column headers:
o Warnings NG
o Maven Info
o Link Column
Further plugins may also allow users to define column headers.
Jenkins no longer processes HTML embedded in list view column headers.
Passwords stored in plain text by Artifactory Plugin
SECURITY-1542 (1) / CVE-2020-2164
Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password in
plain text in the global configuration file
org.jfrog.hudson.ArtifactoryBuilder.xml. This password can be viewed by users
with access to the Jenkins master file system.
Artifactory Plugin 3.6.0 now stores the Artifactory server password encrypted.
This change is effective once the global configuration is saved the next time.
Passwords transmitted in plain text by Artifactory Plugin
SECURITY-1542 (2) / CVE-2020-2165
Artifactory Plugin stores Artifactory server passwords in its global
configuration file org.jfrog.hudson.ArtifactoryBuilder.xml on the Jenkins
master as part of its configuration.
While the password is stored encrypted on disk since Artifactory Plugin 3.6.0,
it is transmitted in plain text as part of the configuration form by
Artifactory Plugin 3.6.0 and earlier. This can result in exposure of the
password through browser extensions, cross-site scripting vulnerabilities, and
similar situations.
Artifactory Plugin 3.6.1 transmits the password in its global configuration
encrypted.
RCE vulnerability in Pipeline: AWS Steps Plugin
SECURITY-1741 / CVE-2020-2166
Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser
to prevent the instantiation of arbitrary types. This results in a remote code
execution (RCE) vulnerability exploitable by users able to provide YAML input
files to Pipeline: AWS Steps Plugin's build steps.
Pipeline: AWS Steps Plugin 1.41 configures its YAML parser to only instantiate
safe types.
RCE vulnerability in OpenShift Pipeline Plugin
SECURITY-1739 / CVE-2020-2167
OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser
to prevent the instantiation of arbitrary types. This results in a remote code
execution (RCE) vulnerability exploitable by users able to provide YAML input
files to OpenShift Pipeline Plugin's build step.
OpenShift Pipeline Plugin 1.0.57 configures its YAML parser to only instantiate
safe types.
RCE vulnerability in Azure Container Service Plugin
SECURITY-1732 / CVE-2020-2168
Azure Container Service Plugin 1.0.1 and earlier does not configure its YAML
parser to prevent the instantiation of arbitrary types. This results in a
remote code execution (RCE) vulnerability exploitable by users able to provide
YAML input files to Azure Container Service Plugin's build step.
Azure Container Service Plugin 1.0.2 configures its YAML parser to only
instantiate safe types.
Reflected XSS vulnerability in Queue cleanup Plugin
SECURITY-1724 / CVE-2020-2169
A form validation HTTP endpoint in Queue cleanup Plugin 1.3 and earlier does
not escape a query parameter displayed in an error message. This results in a
reflected cross-site scripting vulnerability (XSS).
Queue cleanup Plugin 1.4 correctly escapes the query parameter.
Stored XSS vulnerability in RapidDeploy Plugin
SECURITY-1676 / CVE-2020-2170
RapidDeploy Plugin 4.2 and earlier does not escape package names in its
displayed table of packages obtained from a remote server. This results in a
stored cross-site scripting (XSS) vulnerability exploitable by users able to
configure jobs.
RapidDeploy Plugin 4.2.1 escapes package names.
XXE vulnerability in RapidDeploy Plugin
SECURITY-1677 / CVE-2020-2171
RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent
XML external entity (XXE) attacks.
This allows a user able to control the input files for the 'RapidDeploy
deployment package build' build or post-build step to have Jenkins parse a
crafted file that uses external entities for extraction of secrets from the
Jenkins master, server-side request forgery, or denial-of-service attacks.
RapidDeploy Plugin 4.2.1 disables external entity resolution for its XML
parser.
Severity
o SECURITY-1542 (1): Low
o SECURITY-1542 (2): Low
o SECURITY-1676: Medium
o SECURITY-1677: High
o SECURITY-1724: Medium
o SECURITY-1732: High
o SECURITY-1739: High
o SECURITY-1741: High
o SECURITY-1774: High
o SECURITY-1781: Medium
o SECURITY-1793: Medium
o SECURITY-1796: Medium
Affected Versions
o Jenkins weekly up to and including 2.227
o Jenkins LTS up to and including 2.204.5
o Artifactory Plugin up to and including 3.6.0
o Azure Container Service Plugin up to and including 1.0.1
o OpenShift Pipeline Plugin up to and including 1.0.56
o Pipeline: AWS Steps Plugin up to and including 1.40
o Queue cleanup Plugin up to and including 1.3
o RapidDeploy Plugin up to and including 4.2
Fix
o Jenkins weekly should be updated to version 2.228
o Jenkins LTS should be updated to version 2.204.6 or 2.222.1
o Artifactory Plugin should be updated to version 3.6.1
o Azure Container Service Plugin should be updated to version 1.0.2
o OpenShift Pipeline Plugin should be updated to version 1.0.57
o Pipeline: AWS Steps Plugin should be updated to version 1.41
o Queue cleanup Plugin should be updated to version 1.4
o RapidDeploy Plugin should be updated to version 4.2.1
These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.
Credit
The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:
o Daniel Beck, CloudBees, Inc. for SECURITY-1676, SECURITY-1677
o Daniel Kalinowski of ISEC.pl Research Team for SECURITY-1732
o James Holderness, IB Boost, and independently, ethorsa for SECURITY-1542
(1)
o Nick Collisson from Gemini Trust Company, LLC. for SECURITY-1774
o Phu X. Mai, University of Luxembourg for SECURITY-1793
o Wadeck Follonier, CloudBees, Inc. for SECURITY-1724, SECURITY-1781
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXnwpRGaOgq3Tt24GAQjcFxAAvXgxLmWzOLXdY4DABYldI8HpGtp/BETJ
/IDwWY+6mK7J9drlUd7rkdJAuu+DaNEqfdgK1hNDN3ugfdVfbVRljxGEtM8q1+f7
4Mj8lbfO80PpaQqCOlT8MK6Iu7ORXBbM4PlV16vek53taojD5+htcUlA+JNwPoVT
SexAIjOBz475qfBRxYEwxbwxL2+6343v7FY7TsETTpmreDFNFzLOx8YeNAeA9gtj
s9WWKntjxehuknb+LoRfJsdJxLFUohUUPPUg5LoqDADHtddckiTq2gimXrUOcfrU
51olNcS/6uhlnXHcZesaPaxMvPkwsvbJb4IFW9bt8KJ3vT/+Ucsd6q+IAh3zH8g1
GmF9ZLCBAuD6+o4RCLuxbT7+TPuhRP5aRJ+8T+orQ4tcn2lyHySiCEubKYYrDKA2
h1ER8PsHvwbgw1EMgsK40osVq1oud8LxbR8yXQGmz6JnWMObkYq6XsUq05wkgSxW
gasgytvbsBWAp6X4wKblLbnwP394jpwbqhNZf/o2XeUAqFR5Xg6slk213G10RNVT
uO1AnGpF9IUdeDJ47+XSPNnRosK8gYXoPILFSKOnr9vBKK5qe3XlYcE+yhoij1W3
ShN/n8GFpY8insA5Fh0WkXBXq6xUh53W8IQHOY0mYuI7CwA2auxV6msuzVxIdPem
vJejcmUk0fw=
=zEbq
-----END PGP SIGNATURE-----