The Total Economic Impact of CloudBees - commissioned study shows cost savings of $30.9 million using CloudBees for CI/CD →

CloudBees Security Advisory 2019-05-21

undefined

CloudBees Security Advisory 2019-05-21

This advisory announces vulnerabilities inJenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.

Missing permission check allowed obtaining limited information about system configuration in PAM Authentication Plugin

SECURITY-1316

A missing permission check in PAM Authentication Plugin allowed users with Overall/Read permission to invoke a form validation method to obtain limited information about the file /etc/shadow on systems with that file present, as well as the system user the Jenkins process is running as.

Depending on configuration, one of the following messages could be obtained by an attacker:

  • "Jenkins needs to be able to read /etc/shadow"

  • "(1) needs to belong to group (2) to read /etc/shadow"

  • "Either Jenkins needs to run as (3) or (1) needs to belong to group (2) and 'chmod g+r /etc/shadow' needs to be done to enable Jenkins to read /etc/shadow"

  • "Success"

The numeric placeholders in the messages above would be populated with the following values:

  1. The system user that the Jenkins master process is running as (usually jenkins )

  2. The group owning /etc/shadow

  3. The user owning /etc/shadow

This form validation method now requires Overall/Administer permission.

Certificate file read vulnerability in Credentials Plugin

SECURITY-1322

Credentials Plugin allowed the creation of Certificate credentials from a PKCS#12 file on the Jenkins master.
Users with permission to create or update credentials could use the associated form validation to confirm the existence of files with an attacker-specified path.

Additionally, they could create credentials from any valid PKCS#12 file on the Jenkins master.
With the ability to configure jobs to access these credentials, they could obtain the certificate content.

Credentials Plugin no longer supports Certificate credentials from PKCS#12 files on the Jenkins master file system.
Existing Certificate credentials of this kind are automatically migrated to directly entered Certificate credentials during Jenkins startup.

Note

Due to technical limitations, these migrated credentials are not immediately persisted. In rare situations a non-administrator user might access a credential migrated this way and encounter a permission error. The solution is to save affected credentials manually, either individually through the UI or with the following script for the Script Console:

com.cloudbees.plugins.credentials.CredentialsProvider.saveAll()

This operation may impact performance.

In almost all cases the automatic migration will work and these additional steps will be unnecessary.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded 2.164.3.2-rev2

  • CloudBees Cloud Platforms should be upgraded 2.164.3.2-rev2

  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.164.3.2-rev2

  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.164.3.2-rev2

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.138.x.0.z) should be upgraded to version 2.138.41.0.1-rev2

  • CloudBees Jenkins Distribution should be upgraded to version 2.164.3.2-rev2

More Security Advisories

From code to customer.

Continuously advancing your business.

© 2024 CloudBees, Inc., CloudBees® and the Infinity logo® are registered trademarks of CloudBees, Inc. in the United States and may be registered in other countries. Other products or brand names may be trademarks or registered trademarks of CloudBees, Inc. or their respective holders.