CloudBees Security Advisory 2018-08-15

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

Jenkins allowed deserialization of URL objects with host components - SECURITY-637

Jenkins allowed deserialization of URL objects via Remoting (agent communication) and XStream.

This could in rare cases be used by attackers to have Jenkins loop up specified hosts' DNS records.

Jenkins now injects a URLStreamHandler when deserializing URLs that overrides the affected URL methods.

This can be disabled if needed by setting the system property hudson.remoting.URLDeserializationHelper.avoidUrlWrapping to true .

Ephemeral user record was created on some invalid authentication attempts - SECURITY-672

When attempting to authenticate using API token, an ephemeral user record was created to validate the token in case an external security realm was used, and the user record in Jenkins not previously saved, as (legacy) API tokens could exist without a persisted user record.

This behavior could be abused to create a large number of ephemeral user records in memory.

The API token validation on authentication has been improved to no longer create ephemeral user records.

Cron expression form validation could enter infinite loop, potentially resulting in denial of service - SECURITY-790

The form validation for cron expressions (e.g. "Poll SCM", "Build periodically") could enter infinite loops when cron expressions only matching certain rare dates were entered, blocking request handling threads indefinitely.

"Remember me" cookie was evaluated even if "Remember me" feature is disabled - SECURITY-996

The "Remember me" feature can be disabled in the Jenkins security configuration.

This did not disable the processing of previously set "Remember me" cookies, so they still allowed users to be logged in.

"Remember me" cookies are no longer evaluated when the corresponding feature is disabled.

Unauthorized users could access agent logs - SECURITY-1071

Users with Overall/Read permission were able to access the URL serving agent logs on the UI due to a lack of permission checks.

Access to the affected URL is now limited to users with the correct Agent/Connect permission.

Unauthorized users could cancel scheduled restarts initiated from the update center - SECURITY-1076

Users with Overall/Read permission were able to access the URL used to cancel scheduled restart jobs initiated via the update center ("Restart Jenkins when installation is complete and no jobs are running") due to a lack of permission checks.

Access to the affected URL is now limited to users with Overall/Administer permission.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded 2.121.3.1

  • CloudBees Cloud Platforms should be upgraded 2.121.3.1

  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.121.3.1

  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master 2.x.y.z) should be upgraded to version 2.121.3.1

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master 2.73.x.0.z) should be upgraded to version 2.73.35.0.1

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master 2.107.x.0.z) should be upgraded to version 2.107.34.0.1

  • CloudBees Jenkins Team should be upgraded to version 2.121.3.1

  • DEV@cloud is already protected