CloudBees Security Advisory 2019-07-17

This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.

Arbitrary file write vulnerability using file parameter definitions

SECURITY-1424 / CVE-2019-10352

Users with Job/Configure permission could specify a relative path escaping the base directory in the file name portion of a file parameter definition. This path would be used to store the uploaded file on the Jenkins master, resulting in an arbitrary file write vulnerability.

File parameters that escape the base directory are no longer accepted and the build will fail.

This vulnerability is the result of an incomplete fix for SECURITY-1074.

CSRF protection tokens did not expire

SECURITY-626 / CVE-2019-10353

By default, CSRF tokens in Jenkins only checked user authentication and IP address. This allowed attackers able to obtain a CSRF token for another user to implement CSRF attacks as long as the victim’s IP address remained unchanged.

CSRF tokens will now also check the web session ID to confirm they were created in the same session. Once that’s invalidated or expired, corresponding CSRF tokens will become invalid as well.

Note
This fix may impact scripts that obtain a crumb from the crumb issuer API. They may need to be updated to retain the session ID for subsequent requests.

We also publish the Strict Crumb Issuer Plugin which contains additional protection mechanisms that give administrators more fine-grained control over the validity of CSRF tokens. We plan to improve the built-in default crumb issuer based on user feedback of this implementation.

Unauthorized view fragment access

SECURITY-534 / CVE-2019-10354

Jenkins uses the Stapler web framework to render its UI views. These views are frequently comprised of several view fragments, enabling plugins to extend existing views with more content.

In some cases attackers could directly access a view fragment containing sensitive information, bypassing any permission checks in the corresponding view.

The Stapler web framework has been extended with a Service Provider Interface (SPI) that allows preventing views from being rendered. The implementation of that SPI in Jenkins now prevents view fragments from being rendered.

Most views in Jenkins and Jenkins plugins should be compatible with this change. We track known affected plugins and their status in the Jenkins wiki.

In rare cases, it may be desirable to disable this fix. To do so, set the Java system property jenkins.security.stapler.StaplerDispatchValidator.disabled to true. Learn more about system properties in Jenkins.

 

Severity

 

Fix

  • CloudBees Traditional Platforms should be upgraded to version 2.176.2.3
  • CloudBees Cloud Platforms should be upgraded to version 2.176.2.3
  • CloudBees Jenkins Enterprise Managed Masters and Operations Center should be upgraded to version 2.176.2.3
  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.176.2.3)
  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.164.x.0.z) should be upgraded to version 2.164.30.0.1)
  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.138.x.0.z) should be upgraded to version 2.138.42.0.1)
  • CloudBees Jenkins Distribution should be upgraded to version 2.176.2.3
  • Jenkins weekly should be updated to version 2.186
  • Jenkins LTS should be updated to version 2.176.2