Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0191
Jenkins Security Advisory 2021-01-13
15 January 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jenkins Core
Jenkins plugins
Publisher: Jenkins
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Overwrite Arbitrary Files -- Existing Account
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Existing Account
Access Confidential Data -- Existing Account
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-21614 CVE-2021-21613 CVE-2021-21612
CVE-2021-21611 CVE-2021-21610 CVE-2021-21609
CVE-2021-21608 CVE-2021-21607 CVE-2021-21606
CVE-2021-21605 CVE-2021-21604 CVE-2021-21603
CVE-2021-21602 CVE-2018-1000862
Original Bulletin:
https://www.jenkins.io/security/advisory/2021-01-13/
- --------------------------BEGIN INCLUDED TEXT--------------------
Jenkins Security Advisory 2021-01-13
This advisory announces vulnerabilities in the following Jenkins deliverables:
* Jenkins (core)
* Bumblebee HP ALM Plugin
* TICS Plugin
* TraceTronic ECU-TEST Plugin
Descriptions
XSS vulnerability in notification bar
SECURITY-1889 / CVE-2021-21603
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification
bar response contents (typically shown after form submissions via Apply
button).
This results in a cross-site scripting (XSS) vulnerability exploitable by
attackers able to influence notification bar contents.
Jenkins 2.275, LTS 2.263.2 escapes the content shown in notification bars.
Stored XSS vulnerability in button labels
SECURITY-2035 / CVE-2021-21608
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button
labels in the Jenkins UI.
This results in a cross-site scripting vulnerability exploitable by attackers
with the ability to control button labels. An example of buttons with a
user-controlled label are the buttons of the Pipeline input step.
Jenkins 2.275, LTS 2.263.2 escapes button labels in the Jenkins UI.
Reflected XSS vulnerability in markup formatter preview
SECURITY-2153 / CVE-2021-21610
Jenkins allows administrators to choose the markup formatter to use for
descriptions of jobs, builds, views, etc. displayed in Jenkins. When editing
such a description, users can choose to have Jenkins render a formatted preview
of the description they entered.
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any
restrictions for the URL rendering the formatted preview of markup passed as a
query parameter. This results in a reflected cross-site scripting (XSS)
vulnerability if the configured markup formatter does not prohibit unsafe
elements (JavaScript) in markup, like Anything Goes Formatter Plugin.
Jenkins 2.275, LTS 2.263.2 requires that preview URLs are accessed using POST
and sets Content-Security-Policy headers that prevent execution of unsafe
elements when the URL is accessed directly.
In case of problems with this change, these protections can be disabled by
setting the Java system properties
Note hudson.markup.MarkupFormatter.previewsAllowGET to true and/or
hudson.markup.MarkupFormatter.previewsSetCSP to false. Doing either is
discouraged.
Stored XSS vulnerability on new item page
SECURITY-2171 / CVE-2021-21611
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display
names and IDs of item types shown on the New Item page.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers able to specify display names or IDs of item types.
As of the publication of this advisory, the Jenkins security team is not
Note aware of any plugins published via the Jenkins project update center that
allow doing this.
Jenkins 2.275, LTS 2.263.2 escapes display names and IDs of item types shown on
the New Item page.
Improper handling of REST API XML deserialization errors
SECURITY-1923 / CVE-2021-21604
Jenkins provides XML REST APIs to configure views, jobs, and other items. When
deserialization fails because of invalid data, Jenkins 2.274 and earlier, LTS
2.263.1 and earlier stores invalid object references created through these
endpoints in the Old Data Monitor. If an administrator discards the old data,
some erroneous data submitted to these endpoints may be persisted.
This allows attackers with View/Create, Job/Create, Agent/Create, or their
respective */Configure permissions to inject crafted content into Old Data
Monitor that results in the instantiation of potentially unsafe objects when
discarded by an administrator.
Jenkins 2.275, LTS 2.263.2 does not record submissions from users in Old Data
Monitor anymore.
In case of problems, the Java system properties
hudson.util.RobustReflectionConverter.recordFailuresForAdmins and
hudson.util.RobustReflectionConverter.recordFailuresForAllAuthentications can
be set to true to record configuration data submissions from administrators or
all users, partially or completely disabling this fix.
Arbitrary file read vulnerability in workspace browsers
SECURITY-1452 / CVE-2021-21602
The file browser for workspaces, archived artifacts, and $JENKINS_HOME/
userContent/ follows symbolic links to locations outside the directory being
browsed in Jenkins 2.274 and earlier, LTS 2.263.1 and earlier.
This allows attackers with Job/Workspace permission and the ability to control
workspace contents (e.g., with Job/Configure permission or the ability to
change SCM contents) to create symbolic links that allow them to access files
outside workspaces using the workspace browser.
Note This issue is caused by an incomplete fix for SECURITY-904 /
CVE-2018-1000862 in the 2018-12-08 security advisory.
Jenkins 2.275, LTS 2.263.2 no longer supports symlinks in workspace browsers.
While they may still exist on the file system, they are no longer shown on the
UI, accessible via URLs, or included in directory content downloads.
This fix only changes the behavior of the Jenkins UI. Archiving artifacts still
behaves as before.
Path traversal vulnerability in agent names
SECURITY-2021 / CVE-2021-21605
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/
Configure permission to choose agent names that cause Jenkins to override
unrelated config.xml files. If the global config.xml file is replaced, Jenkins
will start up with unsafe legacy defaults after a restart.
Jenkins 2.275, LTS 2.263.2 ensures that agent names are considered valid names
for items to prevent this problem.
In case of problems, this change can be reverted by setting the Java system
property jenkins.model.Nodes.enforceNameRestrictions to false.
Arbitrary file existence check in file fingerprints
SECURITY-2023 / CVE-2021-21606
Jenkins provides a feature for jobs to store and track fingerprints of files
used during a build. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier
provides a REST API to check where a given fingerprint was used by which
builds. This endpoint does not fully validate that the provided fingerprint ID
is properly formatted before checking for the XML metadata for that fingerprint
on the controller file system.
This allows attackers with Overall/Read permission to check for the existence
of XML files on the controller file system where the relative path can be
constructed as 32 characters.
Jenkins 2.275, LTS 2.263.2 validates that a fingerprint ID is properly
formatted before checking for its existence.
Excessive memory allocation in graph URLs leads to denial of service
SECURITY-2025 / CVE-2021-21607
Jenkins renders several different graphs for features like agent and label
usage statistics, memory usage, or various plugin-provided statistics.
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit the graph
size provided as query parameters.
This allows attackers to request or to have legitimate Jenkins users request
crafted URLs that rapidly use all available memory in Jenkins, potentially
leading to out of memory errors.
Jenkins 2.275, LTS 2.263.2 limits the maximum size of graphs to an area of 10
million pixels. If a larger size is requested, the default size for the graph
will be rendered instead.
This threshold can be configured by setting the Java system property
hudson.util.Graph.maxArea to a different number on startup.
Missing permission check for paths with specific prefix
SECURITY-2047 / CVE-2021-21609
Jenkins includes a static list of URLs that are always accessible even without
Overall/Read permission, such as the login form. These URLs are excluded from
an otherwise universal permission check.
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly compare
requested URLs with that list.
This allows attackers without Overall/Read permission to access plugin-provided
URLs with any of the following prefixes if no other permissions are required:
* accessDenied
* error
* instance-identity
* login
* logout
* oops
* securityRealm
* signup
* tcpSlaveAgentListener
For example, a plugin contributing the path loginFoo/ would have URLs in that
space accessible without the default Overall/Read permission check.
The Jenkins security team is not aware of any affected plugins as of the
publication of this advisory.
The comparison of requested URLs with the list of always accessible URLs has
been fixed to only allow access to the specific listed URLs in Jenkins 2.275,
LTS 2.263.2.
In case this change causes problems, additional paths can be made accessible
without Overall/Read permissions: The Java system property
jenkins.model.Jenkins.additionalReadablePaths is a comma-separated list of
additional path prefixes to allow access to.
Credentials stored in plain text by TraceTronic ECU-TEST Plugin
SECURITY-2057 / CVE-2021-21612
TraceTronic ECU-TEST Plugin 2.23.1 and earlier stores credentials unencrypted
in its global configuration file
de.tracetronic.jenkins.plugins.ecutest.report.atx.installation.ATXInstallation.xml
on the Jenkins controller as part of its configuration.
These credentials can be viewed by users with access to the Jenkins controller
file system.
TraceTronic ECU-TEST Plugin 2.24 adds a new option type for sensitive options.
Previously stored credentials are migrated to that option type on Jenkins
startup.
XSS vulnerability in TICS Plugin
SECURITY-2098 / CVE-2021-21613
TICS Plugin 2020.3.0.6 and earlier does not escape TICS service responses.
This results in a cross-site scripting (XSS) vulnerability exploitable by
attackers able to control TICS service response content.
TICS Plugin 2020.3.0.7 escapes TICS service responses, or strips HTML out, as
appropriate.
Credentials stored in plain text by Bumblebee HP ALM Plugin
SECURITY-2156 / CVE-2021-21614
Bumblebee HP ALM Plugin 4.1.5 and earlier stores credentials unencrypted in its
global configuration file com.agiletestware.bumblebee.BumblebeeGlobalConfig.xml
on the Jenkins controller as part of its configuration.
These credentials can be viewed by users with access to the Jenkins controller
file system.
Bumblebee HP ALM Plugin 4.1.6 stores credentials encrypted once its
configuration is saved again.
Severity
* SECURITY-1452: Medium
* SECURITY-1889: High
* SECURITY-1923: High
* SECURITY-2021: High
* SECURITY-2023: Medium
* SECURITY-2025: Medium
* SECURITY-2035: High
* SECURITY-2047: Low
* SECURITY-2057: Low
* SECURITY-2098: High
* SECURITY-2153: High
* SECURITY-2156: Low
* SECURITY-2171: High
Affected Versions
* Jenkins weekly up to and including 2.274
* Jenkins LTS up to and including 2.263.1
* Bumblebee HP ALM Plugin up to and including 4.1.5
* TICS Plugin up to and including 2020.3.0.6
* TraceTronic ECU-TEST Plugin up to and including 2.23.1
Fix
* Jenkins weekly should be updated to version 2.275
* Jenkins LTS should be updated to version 2.263.2
* Bumblebee HP ALM Plugin should be updated to version 4.1.6
* TICS Plugin should be updated to version 2020.3.0.7
* TraceTronic ECU-TEST Plugin should be updated to version 2.24
These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.
Credit
The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:
* Daniel Beck, CloudBees, Inc. for SECURITY-2047, SECURITY-2098,
SECURITY-2153
* Ismail Aydemir at d0nkeysec.org for SECURITY-1923
* Jeff Thompson, CloudBees, Inc., Matt Sicker, CloudBees, Inc., and Wadeck
Follonier, CloudBees, Inc. for SECURITY-1889
* Jesse Glick, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc. for
SECURITY-2171
* Long Nguyen, Viettel Cyber Security for SECURITY-2057
* Matt Sicker, CloudBees, Inc. and Jesse Glick, CloudBees, Inc. for
SECURITY-2035
* Son Nguyen (@s0nnguy3n_) for SECURITY-2156
* Travis Emmert from Apple Information Security for SECURITY-1452
* Wadeck Follonier, CloudBees, Inc. for SECURITY-2021, SECURITY-2023,
SECURITY-2025
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYAEm7eNLKJtyKPYoAQgj4g//UPyJgUofhRSVnxqcO8AUpGyunS+ABD02
cseNgYy6xlsG3GIuAwPw6e1NAmVKXtfqQH6PkFvnyFecdYpRNqmRaolAEeqM7Ddw
yxAOan2mcIa/s6ldkCleGmA08kUvVm0mT+rSY+vRFP2uB4YOB08WivKfSi1w0mE0
3YtHj40MntVTOlqte/9m+AfpRVXWL2xgVHkCaESLk21V0dvnGohhyT7hUwltdp8W
eVUotLkgvEHntK0ZY6Epb+RIpq3p9XdSsimofRQLL+D5FzRUCi0CSS7xNQC4eN58
hyDtGeIDFgZPwA62maoGss7pLsOEKwtYb3cl81WeuDBM8jkeWCdOPfCdVi8WPpCf
gc3Y6w98CIm6IdgBBGJoatBRb+K3Iv23fHbkZgMppM1CIcZ5prwLBL21VCG38fT6
m7hAixC/RrEsHw/XM6A9OYUcnJ/tFuI7zXNFgx12O9KmuFCZFulKBJkXDhP+z9Rn
/oWATmjatT8SYaRn80tSQpiz46CWARczbITl/yqAmZLtWUqU3Vnh8Gil7wvy5r40
WsqDnBay9ekqAXljxRDZ+3ZdqrwCAlj4vyhoXNNTdMGPUxeJ8w0VgB3HhYw/KWAL
PIgJqxyit2JIRdJ6bzihWMMvZFe7o9DtzCMm/N2i8fAKg1lQmfPwdJen6R8l9JMa
IWD/chqif7E=
=69Ci
-----END PGP SIGNATURE-----