CloudBees Security Advisory 2017-10-11

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform, CloudBees Jenkins Solutions, and these plugins:

Arbitrary shell command execution on master by users with Agent-related permissions

SECURITY-478 / CVE pending

Users with permission to create or configure agents in Jenkins could configure a launch method called Launch agent via execution of command on master. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched.

Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.

Note: A known limitation of this fix is that users without the Run Scripts permission are no longer able to configure agents with this launch method at all, even if the launch method remains unchanged. Because of this, a future release of Jenkins will move this launch method into a separate plugin. That plugin will depend on Script Security Plugin to secure this field and restore the ability of users without the Run Scripts permission to configure an agent with this launch method.

Jenkins core bundled vulnerable version of the commons-fileupload library

SECURITY-490 / CVE pending

Jenkins bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092.

The fix for that vulnerability has been backported to the version of the library bundled with Jenkins.

“User” remote API disclosed users’ email addresses

SECURITY-514 / CVE pending

Information about Jenkins user accounts is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users’ email addresses if the Mailer Plugin is installed.

The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator or the user themselves.

Jenkins core bundled vulnerable version of the commons-httpclient library

SECURITY-555 / CVE pending

Jenkins bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks.

This library is widely used as a transitive dependency in Jenkins plugins.

The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.

Maven Plugin bundled vulnerable version of the commons-httpclient library

SECURITY-557 / CVE pending

Maven Plugin bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks.

Maven Plugin 2.17.1-cb-1 and 3.0 no longer have a dependency on commons-httpclient.

Swarm Plugin Client bundled vulnerable version of the commons-httpclient library

SECURITY-597 / CVE pending

Swarm Plugin Client bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks.

The fix for CVE-2012-6153 was backported to the version of commons-httpclient bundled in Swarm Plugin Client.

Note: Please note that Swarm Plugin Client needs to be updated independently from the plugin. Updating just the plugin will not resolve the security vulnerability.

“Computer” remote API disclosed information about inaccessible jobs

SECURITY-611 / CVE pending

The remote API at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Job/Read permission.

This has been fixed, and the API now only shows information about accessible tasks.

“Queue Item” remote API disclosed information about inaccessible jobs

SECURITY-618 / CVE pending

The remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start).
This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Job/Read permission.

This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.

“Job” remote API disclosed information about inaccessible upstream/downstream jobs

SECURITY-617 / CVE pending

The remote API at /job/(job-name)/api contained information about upstream and downstream projects.
This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Job/Read permission.

This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.

Form validation for password fields was sent via GET

SECURITY-616 / CVE pending

The Jenkins default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys).
The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files.

Form validation for <f:password/> is now always sent via POST, with the password in the request body, which is typically not logged.

Arbitrary code execution vulnerability in Speaks! Plugin

SECURITY-623 / CVE pending

This plugin allows users with Job/Configure permission to run arbitrary Groovy code inside the Jenkins JVM, effectively elevating privileges to Overall/Run Scripts.

As of publication of this advisory, there is no fix.
 

Severity: 

The following Jenkins, CloudBees Jenkins Platform, and CloudBees Jenkins Solutions are affected:

  • CloudBees Jenkins Enterprise up to and including 1.9.1.
  • CloudBees Jenkins Platform (rolling train, CloudBees Jenkins Operations Center and CloudBees Jenkins Enterprise 2.x.y.z) up to and including 2.73.1.2.
  • CloudBees Jenkins Platform (fixed train, CloudBees Jenkins Operations Center and CloudBees Jenkins Enterprise 2.46.x.0.y) up to and including 2.46.24.0.3
  • CloudBees Jenkins Team up to and including 2.73.1.2
  • Jenkins LTS up to and including 2.73.1
  • Jenkins main line up to and including 2.83

The following plugin versions are affected:

  • Maven Plugin up to and including 2.17
  • Swarm Plugin up to and including 3.4
  • All versions of Speaks! Plugin
     
Fix: 
  • CloudBees Jenkins Enterprise should be upgraded to 1.9.2. This version will be available for download in the next 24 hours.
  • CloudBees Jenkins Platform (rolling train, CloudBees Jenkins Operations Center and CloudBees Jenkins Enterprise 2.x.y.z) should be upgraded to 2.73.2.1
  • CloudBees Jenkins Platform (fixed train, CloudBees Jenkins Operations Center and CloudBees Jenkins Enterprise 2.46.x.0.y) should be upgraded to 2.46.26.0.1
  • CloudBees Jenkins Team should be upgraded to 2.73.2.1
  • DEV@cloud is already protected.
  • Jenkins:
    • Jenkins LTS should be upgraded to 2.73.2
    • Jenkins main line should be upgraded to 2.84
  • Plugins:
    • Maven Plugin should be upgraded to 2.17.1-cb-1 or 3.0. The CJT, CJP and CJE versions above bundle version 2.17.1-cb-1.
    • Swarm Plugin Client should be updated to 3.5.
    • Given that as of publication of this advisory, there is no fix available for Speaks! Plugin, its distribution has been suspended.