CloudBees Security Advisory 2017-12-06

This advisory announces a vulnerability in the EC2 plugin.

Arbitrary shell command execution on master by users with Agent-related permissions in EC2 Plugin

SECURITY-643 / CVE pending

Users with permission to create or configure agents in Jenkins could configure an EC2 agent to run arbitrary shell commands on the master node whenever the agent was supposed to be launched.

Configuration of these agents now requires the Run Scripts permission typically only granted to administrators.

Severity: 

All versions of EC2 Plugin up to and including 1.37 are affected.
 

Fix: 

EC2 Plugin should be updated to version 1.36.1-cb-1 or 1.38.

Instructions to get the fixes for the different CloudBees Jenkins Solutions products are included below:

  • CloudBees Jenkins Enterprise:
    • Version 1.11.0, to be available for download in the next 24 hours, already contains the fix.
    • For 1.10.0, in the Operations Center the plugin will be offered by Beekeeper if CAP is enabled.
    • For 1.10.0, in the Managed Master of with CAP disabled, the plugin can be updated through the Plugin Manager.
    • Users of versions older than 1.10.0 should upgrade to 1.10.0 or 1.11.0
  • CloudBees Jenkins Platform (rolling train, CloudBees Jenkins Operations Center and CloudBees Jenkins Enterprise 2.x.y.z):
    • Version 2.89.1.6 already contains the fix.
    • For Operations Center 2.73.3.1, the plugin will be offered by Beekeeper if CAP is enabled.
    • For Client Master 2.73.3.1 or in Operations Center 2.73.3.1 with CAP disabled, the plugin can be updated through the Plugin Manager.
    • Users of versions older than 2.73.3.1 should upgrade to 2.73.3.1 or 2.89.1.6
  • CloudBees Jenkins Platform (fixed train, CloudBees Jenkins Operations Center and CloudBees Jenkins Enterprise 2.46.x.0.y):
    • For Operations Center 2.46.27.0.1, the plugin will be offered by Beekeeper if CAP is enabled.
    • For Client Master 2.46.27.0.1 or in Operations Center 2.46.27.0.1 with CAP disabled, the plugin can be updated through the Plugin Manager.
    • Users of versions older than 2.46.27.0.1 should upgrade to 2.46.27.0.1
  • CloudBees Jenkins Team should be upgraded to 2.89.1.6.