CloudBees Security Advisory 2019-01-28

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

Sandbox Bypass in Script Security Plugin

SECURITY-1292

Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. This affected an HTTP endpoint used to validate a user-submitted Groovy script that was not covered in the 2019-01-08 fix for SECURITY-1266 and allowed users with Overall/Read permission to bypass the sandbox protection and execute arbitrary code on the Jenkins master. The affected HTTP endpoint now applies a safe Groovy compiler configuration prohibiting unsafe AST transforming annotations.

Sandbox Bypass in Groovy Plugin

SECURITY-1293

roovy Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. This allowed attackers with Overall/Read access to execute arbitrary code on the Jenkins master by applying AST transforming annotations such as @Grab to source code elements. The affected HTTP endpoint now applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations.

Sandbox Bypass via CSRF in Warnings Plugin

SECURITY-1295 (1)

Warnings Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. The endpoint checked for the Overall/RunScripts permission, but did not require POST requests, so it was vulnerable to cross-site request forgery (CSRF). This allowed attackers to execute arbitrary code on the Jenkins master by applying AST transforming annotations such as @Grab to source code elements. The affected HTTP endpoint now applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations. Additionally, the form validation HTTP endpoint now requires that requests be sent via POST to prevent CSRF.

Sandbox Bypass via CSRF in Warnings Next Generation Plugin

SECURITY-1295 (2)

Warnings Next Generation Plugin has a form validation HTTP endpoint used to validate a Groovy script through compilation, which was not subject to sandbox protection. The endpoint checked for the Overall/RunScripts permission, but did not require POST requests, so it was vulnerable to cross-site request forgery (CSRF). This allowed attackers to execute arbitrary code on the Jenkins master by applying AST transforming annotations such as @Grab to source code elements. The affected HTTP endpoint now applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations. Additionally, the form validation HTTP endpoint now requires that requests be sent via POST to prevent CSRF.

Improper certificate validation with StartTLS in Active Directory Plugin

SECURITY-859

Active Directory Plugin performs TLS upgrade (StartTLS) after connecting to domain controllers through insecure LDAP. In this mode, certificates were not properly validated, effectively trusting all certificates, allowing man-in-the-middle attacks. This only affected TLS upgrades. The LDAPS mode, available by setting the system property hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps to true, was unaffected. The plugin now properly validates certificates according to the TLS trust configuration when performing a TLS upgrade.

CSRF vulnerability in Git Plugin

SECURITY-1095

Git Plugin allows the creation of a tag in a job workspace’s Git repository with accompanying metadata attached to a build record. The HTTP endpoint to create the tag did not require POST requests, resulting in a CSRF vulnerability. The HTTP endpoint to create the tag now requires that requests are sent via POST.

Recursive token expansion results in information disclosure and DoS in Token Macro Plugin

SECURITY-1102

Token Macro Plugin recursively applied token expansion. This could be used by users able to affect input to token expansion (such as change log messages), to inject additional tokens into the input, which would then be expanded, resulting in information disclosure (for example values of environment variables), or denial of service. Most tokens have been changed to no longer recursively apply token expansion.

Blue Ocean did not require CSRF tokens

SECURITY-1201

Blue Ocean did not require CSRF tokens (“crumbs”) for POST requests with the Content-Type: application/json. Blue Ocean now requires that valid CSRF tokens are present in POST requests.

XSS vulnerability via user description in Blue Ocean

SECURITY-1204

Blue Ocean did not properly escape HTML/JavaScript content set on the current user’s description field, resulting in a cross-site scripting vulnerability exploitable by administrators and other people accessing Jenkins with the same user account. Blue Ocean now properly escapes HTML/JavaScript content set on the current user’s description field.

XSS vulnerability in Config File Provider Plugin

SECURITY-1253

Config File Provider Plugin improperly handled script names in its JavaScript-based UI, resulting in a stored cross-site scripting (XSS) vulnerability. Config File Provider Plugin now properly handles script names.

XXE vulnerability in Job Import Plugin

SECURITY-905 (1)

Job Import Plugin allows to import jobs from other Jenkins instances. As a first step in this process, Job Import Plugin sends a request to another Jenkins instance, parsing XML REST API output to obtain a list of jobs that could be imported. Job Import Plugin did not configure the XML parser in a way that would prevent XML External Entity (XXE) processing. This allowed attackers able to control either the server Jenkins will query, or the URL Jenkins queries, to have it parse a maliciously crafted XML response that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks. External entity resolution has been disabled for the XML parser used in Job Import Plugin 3.0.

CSRF vulnerability and missing permission checks in Job Import Plugin allowed capturing credentials

SECURITY-905 (2)

Job Import Plugin did not check user permissions on its API endpoint used to access remote Jenkins instances. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Job Import Plugin 3.0 will only access Jenkins instances using credentials defined in the global configuration.

CSRF vulnerability in Job Import Plugin allowed creating and overwriting jobs, installing some plugins

SECURITY-1302

Job Import Plugin did not require that POST requests are sent to its /import URL, which processes requests to import jobs. This resulted in a cross-site request forgery (CSRF) vulnerability that could be exploited to create or replace jobs on the local instance if the remote Jenkins instance has different ones with the same name, or to install additional plugins, if jobs on the remote Jenkins instance reference them in their configuration. Job Import Plugin 3.0 restricted which remote Jenkins instances jobs can be imported from, limiting how this can be exploited. From Job Import Plugin 3.1, the /import URL requires that requests are sent via POST.

GitHub Authentication Plugin showed plain text client secret in configuration form

SECURITY-602

GitHub Authentication Plugin stores the client secret in the global Jenkins configuration. While the client secret is stored encrypted on disk, it was transmitted in plain text as part of the configuration form and displayed without masking. This could result in exposure of the client secret through browser extensions, cross-site scripting vulnerabilities, and similar situations. GitHub Authentication Plugin now encrypts the client secret transmitted to administrators viewing the global security configuration form.

Session fixation vulnerability in GitHub Authentication Plugin

SECURITY-797

GitHub Authentication Plugin did not invalidate the previous session and create a new one upon successful login, allowing attackers able to control or obtain another user’s pre-login session ID to impersonate them. GitHub Authentication Plugin now invalidates the previous session during login and creates a new one.

CSRF vulnerability and missing permission checks in Kanboard Plugin allowed server-side request forgery

SECURITY-818

Kanboard Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to submit a GET request to an attacker-specified URL. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability. This form validation method now requires POST requests and Overall/Administer permissions.

OpenId Connect Authentication Plugin showed plain text client secret in configuration form

SECURITY-886

OpenId Connect Authentication Plugin stores the client secret in the global Jenkins configuration. While the client secret is stored encrypted on disk, it was transmitted in plain text as part of the configuration form and displayed without masking. This could result in exposure of the client secret through browser extensions, cross-site scripting vulnerabilities, and similar situations. The OpenId Connect Authentication Plugin now encrypts the client secret transmitted to administrators viewing the global configuration form.

Monitoring Plugin did not apply CSRF protection even if enabled in Jenkins

SECURITY-1153

Monitoring Plugin provides a standalone JavaMelody servlet with an independent CSRF protection configuration. Even if Jenkins had CSRF protection enabled, Monitoring Plugin may not have it enabled. Monitoring Plugin now checks on startup whether Jenkins has CSRF protection enabled and enables its own CSRF protection accordingly. NOTE: Monitoring Plugin does not take into account configuration changes applied after Jenkins startup or after Monitoring Plugin finishes loading. Administrators need to restart Jenkins when enabling or disabling the CSRF protection configuration to apply the change to Monitoring Plugin.

Clickjacking vulnerability in Monitoring Plugin

SECURITY-1154

Monitoring Plugin did not set the X-Frame-Options header, allowing its pages to be embedded. This could result in clickjacking attacks. Monitoring Plugin now sets the X-Frame-Options header to sameorigin, preventing embedding.

XSS vulnerability in Warnings Next Generation Plugin

SECURITY-1271

Warnings Next Generation Plugin did not properly escape HTML content in warnings displayed on the Jenkins UI, resulting in a cross-site scripting vulnerability exploitable by users able to control warnings parser input. Warnings Next Generation Plugin now removes unsafe HTML content from warnings.

 

Severity: 
Fix: 
  • CloudBees Traditional Platforms should be upgraded 2.150.2.3-rev2
  • CloudBees Cloud Platforms should be upgraded 2.150.2.3-rev2
  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.150.2.3-rev2
  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master 2.x.y.z) should be upgraded to version 2.150.2.3-rev2
  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master 2.107.x.0.z) should be upgraded to version 2.107.37.0.2-rev2
  • CloudBees Jenkins Team should be upgraded to version 2.150.2.3-rev2