CloudBees Security Advisory 2017-02-01

This advisory announces multiple vulnerabilities in Jenkins and CloudBees Jenkins Platform.

These vulnerabilities affect the following components:

  • CloudBees Jenkins Operations Center
  • CloudBees Jenkins Enterprise
  • DEV@cloud
  • Jenkins
  • CloudBees Role-based Access Control Plugin

 

CSRF vulnerability in RBAC Plugin permission management

  • CJP-5866 / CVE-2016-9887
  • Several URLs related to group and role management did not require POST form submission, resulting in a CSRF vulnerability. Affected URLs allowed creation of (unused) roles, deletion of (unused) roles, and setting group descriptions. No permissions could be changed by exploiting this vulnerability.
     

Use of AES ECB block cipher mode without IV for encrypting secrets

  • SECURITY-304 / CVE-2017-2598
  • Secrets such as passwords are typically stored on disk and sent to users as part of some pages in encrypted form. These were encrypted using AES-128 ECB without IV, which exposes Jenkins and the stored secrets to unnecessary risks. Jenkins now encrypts secrets using AES-128 CBC with random IV.
     

Items could be created with same name as existing item

  • SECURITY-321 / CVE-2017-2599
  • An insufficient permission check allowed users with the permission to create new items (e.g. jobs) to overwrite existing items they don’t have access to. After a Jenkins restart, children of the original item, such as builds, were then accessible in some circumstances.
     

Node monitor data could be viewed by low privilege users

  • SECURITY-343 / CVE-2017-2600
  • Overall/Read permission was sufficient to access node monitor data via the remote API. These included system configuration and runtime information of these nodes.
     

Possible cross-site scripting vulnerability in jQuery bundled with timeline widget

  • SECURITY-349 / CVE-2011-4969
  • The Simile timeline widget used on build history pages bundles an outdated jQuery vulnerable to CVE-2011-4969. We were unable to confirm that Jenkins is vulnerable, but updated the jQuery version bundled with the Simile timeline widget anyway.
     

Persisted cross-site scripting vulnerability in parameter names and descriptions

  • SECURITY-353 / CVE-2017-2601
  • Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.
     

Outdated jbcrypt version bundled with Jenkins

  • SECURITY-354 / CVE-2015-0886
  • Jenkins bundled an outdated version of jbcrypt that was affected by CVE-2015-0886.
     

Pipeline metadata files not blacklisted in agent-to-master security subsystem

  • SECURITY-358 / CVE-2017-2602
  • The Pipeline suite of plugins stored build metadata in the file
    program.dat

    and the directory

    workflow/

    These were not blacklisted in the agent-to-master security subsystem and could therefore be written to by malicious agents.
     

User data leak in disconnected agents’ config.xml API

  • SECURITY-362 / CVE-2017-2603
  • Agents that were disconnected by users contained the disconnecting user’s User object in serialized form in the
    config.xml

    remote API output. This could leak sensitive data such as API tokens.
     

Low privilege users were able to act on administrative monitors

  • SECURITY-371 / CVE-2017-2604
  • Administrative monitors are warnings about the system state shown to Jenkins admins. They sometimes provide actions to e.g. automatically address the reported problem, or disable the warning. These actions were not consistently protected by permission checks, thereby allowing low privilege users to act on them.
  • All administrative monitors now require the user accessing them to be an administrator.
     

Re-key admin monitor leaves behind unencrypted credentials in upgraded installations

  • SECURITY-376 / CVE-2017-2605
  • The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards.
  • Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory
    $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups

    and delete it, if present.
     

Internal API allowed access to item names that should not be visible

  • SECURITY-380 / CVE-2017-2606
  • The method
    Jenkins#getItems()

    included a performance optimization that resulted in all items being returned if the Logged in users can do anything authorization strategy was used, and no access was granted to anonymous users (an option added in Jenkins 2.0). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an

    UnprotectedRootAction
    
    

 

Persisted cross-site scripting vulnerability in console notes

  • SECURITY-382 / CVE-2017-2607
  • Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Popular examples include the highlighting of sections by Ant Plugin, or the timestamp metadata from Timestamper. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs.
  • To prevent this, console notes are now signed by Jenkins when created, and Jenkins will only deserialize correctly signed console notes. As a side effect, console notes created before updating to a release containing this fix will no longer be deserialized. To restore the previous (unsafe) behavior, set the system property
    hudson.console.ConsoleNote.INSECURE

    to true.
     

XStream remote code execution vulnerability

  • SECURITY-383 / CVE-2017-2608
  • XStream-based APIs in Jenkins (e.g.
    /createItem URLs

    or

    POST config.xml

    remote API) were vulnerable to a remote code execution vulnerability involving the deserialization of various types in

    javax.imageio
  • In case this extension of the blacklist results in regressions, the blacklist can be customized.
     

Information disclosure vulnerability in search suggestions

  • SECURITY-385 / CVE-2017-2609
  • The autocompletion for the search box provided the names of views the current user does not have access to in its suggestions. These suggestions were removed.
     

Persisted cross-site scripting vulnerability in search suggestions

  • SECURITY-388 / CVE-2017-2610
  • Jenkins allows the creation of users with less-than and greater-than characters in their names. These user names were not escaped when displaying search suggestions, resulting in a cross-site scripting vulnerability.
     

Insufficient permission check for periodic processes

  • SECURITY-389 / CVE-2017-2611
  • The URLs
    /workspaceCleanup

    and

    /fingerprintCleanup

    did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.
     

Low privilege users were able to override JDK download credentials

  • SECURITY-392 / CVE-2017-2612
  • Jenkins allows administrators to enter their username and password to the Oracle download site which provides JDKs for download. Users with read access to Jenkins were able to override these credentials, resulting in future builds possibly failing to download a JDK. A permission check has been added.
     

User creation CSRF using GET by admins

  • SECURITY-406 / CVE-2017-2613
  • When administrators accessed a URL like
    /user/example

    via HTTP GET, a user with the ID

    example

    was created if it did not exist. While this user record was only retained until restart in most cases, administrators’ web browsers could be manipulated to create a large number of user records.

  • Accessing these URLs now no longer results in a user record getting created, Jenkins will respond with 404 Not Found if no such user exists. When using the internal Jenkins user database, new users can be created via Manage Jenkins » Manage Users. To restore the previous (unsafe) behavior, set the system property
    hudson.model.User.allowUserCreationViaUrl to true.
Severity: 

Affected Versions:

  • CloudBees Jenkins Operations Center 2.x.y.z (Rolling Train) up to 2.32.1.1
  • CloudBees Jenkins Operations Center 2.7.x.0.y (Fixed Train) up to 2.7.21.0.2
  • CloudBees Jenkins Operations Center 1.x up to 1.625.21.1
  • CloudBees Jenkins Enterprise 2.x.y.z (Rolling Train) up to 2.32.1.1
  • CloudBees Jenkins Enterprise 2.7.x.0.y (Fixed Train) up to 2.7.21.0.2
  • CloudBees Jenkins Enterprise 1.x up to 1.625.21.1
  • CloudBees RBAC Plugin up to 5.9 (except 5.6.1)
  • Jenkins LTS up to 2.32.1
  • Jenkins main up to 2.42
Fix: 
  • CloudBees Jenkins Operations Center 2.x.y.z (Rolling Train) should be upgraded to 2.32.2.1.
  • CloudBees Jenkins Operations Center 2.7.x.0.y (Fixed Train) should be upgraded to 2.7.22.0.1
  • CloudBees Jenkins Operations Center 1.625.x.y should be upgraded to 1.625.22.1
  • CloudBees Jenkins Enterprise 2.x.y.z (Rolling Train) should be upgraded to 2.32.2.1
  • CloudBees Jenkins Enterprise 2.7.x.0.y (Fixed Train) should be upgraded to 2.7.22.0.1
  • CloudBees Jenkins Enterprise 1.651.x.y should be upgraded to 1.651.22.1
  • CloudBees Role-based Access Control plugin 5.6 should be upgraded to 5.6.1 (CloudBees Jenkins Operations Center 1.625.22.1 and CloudBees Jenkins Enterprise 1.651.22.1 already include this version)
  • CloudBees Role-based Access Control plugin 5.9 should be upgraded to 5.9.1 (CloudBees Jenkins Platform 2.7.22.0.1-fixed contains 5.9.1 and CloudBees Jenkins Platform 2.32.2.1 contains 5.12).
  • Jenkins LTS should be upgraded to 2.32.2
  • Jenkins main line should be upgraded to Jenkins 2.44

These versions include fixes to all the vulnerabilities described above. All prior versions are affected by these vulnerabilities unless otherwise indicated.