CloudBees Security Advisory 2019-05-21

This advisory announces vulnerabilities in
Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.

Missing permission check allowed obtaining limited information about system configuration in PAM Authentication Plugin

SECURITY-1316

A missing permission check in PAM Authentication Plugin allowed users with Overall/Read permission to invoke a form validation method to obtain limited information about the file /etc/shadow on systems with that file present, as well as the system user the Jenkins process is running as.

Depending on configuration, one of the following messages could be obtained by an attacker:

  • “Jenkins needs to be able to read /etc/shadow”

  • “(1) needs to belong to group (2) to read /etc/shadow”

  • “Either Jenkins needs to run as (3) or (1) needs to belong to group (2) and ‘chmod g+r /etc/shadow’ needs to be done to enable Jenkins to read /etc/shadow”

  • “Success”

The numeric placeholders in the messages above would be populated with the following values:

  1. The system user that the Jenkins master process is running as (usually jenkins)

  2. The group owning /etc/shadow

  3. The user owning /etc/shadow

This form validation method now requires Overall/Administer permission.

Certificate file read vulnerability in Credentials Plugin

SECURITY-1322

Credentials Plugin allowed the creation of Certificate credentials from a PKCS#12 file on the Jenkins master.
Users with permission to create or update credentials could use the associated form validation to confirm the existence of files with an attacker-specified path.

Additionally, they could create credentials from any valid PKCS#12 file on the Jenkins master.
With the ability to configure jobs to access these credentials, they could obtain the certificate content.

Credentials Plugin no longer supports Certificate credentials from PKCS#12 files on the Jenkins master file system.
Existing Certificate credentials of this kind are automatically migrated to directly entered Certificate credentials during Jenkins startup.

Note

Due to technical limitations, these migrated credentials are not immediately persisted.
In rare situations a non-administrator user might access a credential migrated this way and encounter a permission error.
The solution is to save affected credentials manually, either individually through the UI or with the following script for the Script Console:

com.cloudbees.plugins.credentials.CredentialsProvider.saveAll()

This operation may impact performance.

In almost all cases the automatic migration will work and these additional steps will be unnecessary.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded 2.164.3.2-rev2
  • CloudBees Cloud Platforms should be upgraded 2.164.3.2-rev2
  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.164.3.2-rev2
  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.164.3.2-rev2
  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.138.x.0.z) should be upgraded to version 2.138.41.0.1-rev2
  • CloudBees Jenkins Distribution should be upgraded to version 2.164.3.2-rev2