CloudBees Security Advisory 2019-06-11

This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.

XML External Entity processing vulnerability in Token Macro Plugin

SECURITY-1399 / CVE-2019-10337

Token Macro Plugin did not configure its XML parser in a way that would prevent XML External Entity (XXE) processing.

This allowed attackers able to control the contents of files processed with the ${XML} macro to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.

Token Macro Plugin no longer processes XML External Entities in XML documents.

CSRF vulnerability and missing permission check in JX Resources Plugin

SECURITY-1379 / CVE-2019-10338 (CSRF), CVE-2019-10339 (improper authorization)

JX Resources Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Kubernetes server and obtain information about an attacker-specified namespace. Doing so might also leak service account credentials used for the connection. Additionally, it allowed attackers to obtain the value of any attacker-specified environment variable for the Jenkins master process.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

CSRF vulnerability and missing permission checks in ElectricFlow Plugin allowed SSRF

SECURITY-1410 (1)  / CVE-2019-10331 (CSRF), CVE-2019-10332 (missing permission checks)

A missing permission check in a form validation method in ElectricFlow Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified username and password.

Additionally, the form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

Missing permission checks in ElectricFlow Plugin

SECURITY-1410 (2) /  CVE-2019-10333

Various form validation and form autocompletion methods in ElectricFlow Plugin lacked permission checks. This allowed attackers with Overall/Read access to obtain information about the configuration of ElectricFlow Plugin, as well as the configuration and data of connected ElectricFlow servers.

These form validation and autocompletion methods now require Overall/Administer or Job/Configure permission, as appropriate for the given method.

ElectricFlow Plugin globally and unconditionally disabled SSL/TLS certificate validation

SECURITY-1411 / CVE-2019-10334

ElectricFlow Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins master JVM during the deployment/publication of an application.

ElectricFlow Plugin no longer does that. Instead, the existing opt-in option to ignore SSL/TLS errors is used during deployment for the specific connection.

This issue was caused by an incomplete fix for SECURITY-937.

XSS vulnerability in build metadata contributed by ElectricFlow Plugin

SECURITY-1412 / CVE-2019-10335

The plugin adds metadata displayed on build pages during its operations.

Any user content was not escaped, resulting in a cross-site scripting vulnerability allowing users with Job/Configure permission, or attackers controlling API responses received from ElectricFlow to render arbitrary HTML and JavaScript on Jenkins build pages.

Build metadata is now filtered through a HTML formatter that only allows showing basic HTML, neutralizing any unsafe data. Additionally, all builds executed after the security update is applied will now properly escape content received from ElectricFlow.

XSS vulnerability in ElectricFlow Plugin affecting job configuration forms

SECURITY-1420 / CVE-2019-10336

The configuration forms of various post-build steps contributed by ElectricFlow Plugin were vulnerable to cross-site scripting.

This allowed attackers able to control the output of connected ElectricFlow servers’ APIs to inject arbitrary HTML and JavaScript into the configuration form.

ElectricFlow Plugin no longer interprets HTML/JavaScript in responses from ElectricFlow server APIs on job configuration forms.

 

Severity

 

Fix

  • CloudBees Traditional Platforms should be upgraded 2.164.3.2-rev3
  • CloudBees Cloud Platforms should be upgraded 2.164.3.2-rev3
  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.164.3.2-rev3
  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.164.3.2-rev3
  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.138.x.0.z) should be upgraded to version 2.138.41.0.1-rev3
  • CloudBees Jenkins Distribution should be upgraded to version 2.164.3.2-rev3