Operating System:

[WIN][UNIX/Linux]

Published:

08 April 2021

Protect yourself against future threats.

//Service

Malicious URL Feed

Add this Australian-based feed to your firewall blacklist and SIEM to prevent compromises to your network.

Read more
Resources > Security Bulletins > ESB-2021.1183 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.1183
                         Jenkins Security Advisory
                               8 April 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Jenkins (core)
                   Micro Focus Application Automation Tools Plugin
                   promoted builds Plugin
Publisher:         Jenkins
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Cross-site Request Forgery     -- Existing Account            
                   Cross-site Scripting           -- Remote with User Interaction
                   Provide Misleading Information -- Existing Account            
                   Reduced Security               -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-22513 CVE-2021-22512 CVE-2021-22511
                   CVE-2021-22510 CVE-2021-21641 CVE-2021-21640
                   CVE-2021-21639  

Original Bulletin: 
   https://www.jenkins.io/security/advisory/2021-04-07/

- --------------------------BEGIN INCLUDED TEXT--------------------

Jenkins Security Advisory 2021-04-07  

This advisory announces vulnerabilities in the following Jenkins deliverables:

  o Jenkins (core)
  o Micro Focus Application Automation Tools Plugin
  o promoted builds Plugin

Descriptions  

Lack of type validation in agent related REST API  

SECURITY-1721 / CVE-2021-21639

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type
of object created after loading the data submitted to the config.xml REST API
endpoint of a node.

This allows attackers with Computer/Configure permission to replace a node with
one of a different type.

Jenkins 2.287, LTS 2.277.2 validates the type of object created and rejects
objects of unexpected types.

View name validation bypass  

SECURITY-1871 / CVE-2021-21640

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that
a newly created view has an allowed name. When a form to create a view is
submitted, the name is included twice in the submission. One instance is
validated, but the other instance is used to create the value.

This allows attackers with View/Create permission to create views with invalid
or already-used names.

Jenkins 2.287, LTS 2.277.2 uses the same submitted value for validation and
view creation.

CSRF vulnerability in promoted builds Plugin  

SECURITY-2293 / CVE-2021-21641

promoted builds Plugin 3.9 and earlier does not require POST requests for HTTP
endpoints implementing promotion (regular, forced, and re-execute), resulting
in cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers to promote builds.

promoted builds Plugin 3.9.1 requires POST requests for the affected HTTP
endpoints.

Note A security hardening since Jenkins 2.287 and LTS 2.277.2 prevents
     exploitation of this vulnerability.

CSRF vulnerability and missing permission checks in Micro Focus Application
Automation Tools Plugin  

SECURITY-2132 / CVE-2021-22512 (CSRF), CVE-2021-22513 (permission check)

Micro Focus Application Automation Tools Plugin 6.7 and earlier does not
perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to
attacker-specified URLs using attacker-specified username and password.

Additionally, these form validation methods do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

Micro Focus Application Automation Tools Plugin 6.8 requires POST requests and
Overall/Administer permission for the affected form validation methods.

Reflected XSS vulnerability in Micro Focus Application Automation Tools Plugin 
 

SECURITY-2175 / CVE-2021-22510

Micro Focus Application Automation Tools Plugin 6.7 and earlier does not escape
user input in a form validation response.

This results in a reflected cross-site scripting (XSS) vulnerability.

Micro Focus Application Automation Tools Plugin 6.8 escapes user input in the
affected form validation response.

Note A security hardening since Jenkins 2.275 and LTS 2.263.2 prevents
     exploitation of this vulnerability.

SSL/TLS certificate validation unconditionally disabled by Micro Focus
Application Automation Tools Plugin  

SECURITY-2176 / CVE-2021-22511

Micro Focus Application Automation Tools Plugin 6.7 and earlier unconditionally
disables SSL/TLS certificate validation for connections to Service
Virtualization servers.

Micro Focus Application Automation Tools Plugin 6.8 no longer disables SSL/TLS
certificate validation unconditionally by default. It provides an option to
disable SSL/TLS certification validation for connections to Service
Virtualization servers.

Severity  

  o SECURITY-1721: Low
  o SECURITY-1871: Medium
  o SECURITY-2132: Medium
  o SECURITY-2175: High
  o SECURITY-2176: Medium
  o SECURITY-2293: Medium

Affected Versions  

  o Jenkins weekly up to and including 2.286
  o Jenkins LTS up to and including 2.277.1
  o Micro Focus Application Automation Tools Plugin up to and including 6.7
  o promoted builds Plugin up to and including 3.9

Fix  

  o Jenkins weekly should be updated to version 2.287
  o Jenkins LTS should be updated to version 2.277.2
  o Micro Focus Application Automation Tools Plugin should be updated to
    version 6.8
  o promoted builds Plugin should be updated to version 3.9.1

These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.

Credit  

The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:

  o Ildefonso Montero Perez, CloudBees, Inc. and Daniel Beck, CloudBees, Inc. 
    for SECURITY-2293
  o Jeff Thompson, CloudBees, Inc. for SECURITY-1721
  o Long Nguyen, Viettel Cyber Security for SECURITY-2132
  o Wadeck Follonier, CloudBees, Inc. for SECURITY-2175, SECURITY-2176

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYG5fDONLKJtyKPYoAQju6w//Qm2EzMf7YD2S89LP3VAtYaqmwjSyUDpB
x58pWtGdV30Pbb6a4qxs/wjeZ7v3UBsExaBCoJ7PEN64WuRnTKLnQ+1exwCN21yn
Q9M2OTThfEs1voauZk0LJV2OeJ1XeyFELH4MsdA0CviI8FAW4VxpxxW7gOP1GR4x
uApm+vPkcade7BIf9kEO1/MiDBZwRLP9yjMSDSGCK1zt319+uncXsA4b1m/Nnc+B
Hx1dGJ7rmC/qYN+ZWBR1rEQkmaI8bZD+ymd/wQwDTcyIzxNYZ6r2L30wvePYOSRp
JNaFZKHW9srkMhKLw6acdcdoGLTgk/VeoSIrrt4riP8rXtcBCBtgmz6RICu6zvBI
SlB4yZKGDb4oQIp55P83VEpIDuXf3pZB/DTZudn6ri5/qwcH9z7Hj+n4CY9G0U20
rs4hYzTf40xjdSwg5A3rP//gM/nklIUa5I5N37q+jiKnBa/l0maLVRVp9YGeWBMl
7yE48QmmhbdDgSWpD7OeF9lzgHEo8dHSvm5BiwMf23fE1uz8Q6bzblMG1pkSvxmR
ZhMzJPselCABZMpVvI+7acLI/yb08FfZYP3i4XWf3Fde9k4NC75FOop6MUx6ZyLG
YkMVAdwDR9HOUGuKTE/48irE7MRcSvo9csU38/Ihc7NdVbL1xFvNmG3HtE0n8CCJ
z2MQ46A39kQ=
=4/tl
-----END PGP SIGNATURE-----