CloudBees Security Advisory 2020-11-04

This advisory announces vulnerabilities in Cloudbees, CloudBees Jenkins Distribution and CloudBees Jenkins Platform

Login allowed with hardcoded password by Active Directory Plugin 

SECURITY-2117 / CVE-2020-2299

Active Directory Plugin implements two separate modes: Integration with ADSI on Windows, and an OS agnostic LDAP-based mode.

The LDAP-based mode in Active Directory Plugin 2.19 and earlier shares code between user lookup and user authentication and distinguishes these behaviors through the use of a magic constant used in place of a real password. This allows attackers to log in as any user if the magic constant is used as the password in Active Directory Plugin 2.19 and earlier.

Active Directory Plugin 2.20 no longer uses a magic constant to distinguish between user lookup and user authentication.

Login allowed with empty password by Active Directory Plugin 

SECURITY-2099 / CVE-2020-2300

Active Directory Plugin implements two separate modes: Integration with ADSI on Windows, and an OS agnostic LDAP-based mode.

The Windows/ADSI mode does not specifically prohibit use of empty passwords in Active Directory Plugin 2.19 and earlier. If the Active Directory server allows the unauthenticated bind operation, this allows attackers to log in to Jenkins as any user by providing an empty password.

Active Directory Plugin 2.20 prohibits the use of an empty password to log in.

Authentication cache in Active Directory Plugin allows logging in with any password 

SECURITY-2123 / CVE-2020-2301

Active Directory Plugin implements two separate modes: Integration with ADSI on Windows, and an OS agnostic LDAP-based mode. Optionally, to reduce lookup time, a cache can be configured to remember user lookups and user authentications.

In Active Directory Plugin 2.19 and earlier, when run in Windows/ADSI mode, the provided password was not used when looking up an applicable cache entry. This allows attackers to log in as any user using any password while a successful authentication of that user is still in the cache.

As a workaround for this issue, the cache can be disabled.

Active Directory Plugin 2.20 includes the provided password in cache entry lookup.

Additionally, the Java system property hudson.plugins.active_directory.CacheUtil.noCacheAuth can be set to true to no longer cache user authentications.

Missing permission check in Active Directory Plugin allows accessing domain health check page 

SECURITY-1999 / CVE-2020-2302

Active Directory Plugin 2.19 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to access the domain health check diagnostic page.

Active Directory Plugin 2.20 requires Overall/Administer permission to access the domain health check diagnostic page.

CSRF vulnerability in Active Directory Plugin 

SECURITY-2126 / CVE-2020-2303

Active Directory Plugin 2.19 and earlier does not require POST requests for multiple HTTP endpoints implementing connection and authentication tests, resulting in cross-site request forgery (CSRF) vulnerabilities.

This vulnerability allows attackers to perform connection tests, connecting to attacker-specified or previously configured Active Directory servers using attacker-specified credentials.

Active Directory Plugin 2.20 requires POST requests for the affected HTTP endpoints.

XXE vulnerability in Subversion Plugin 

SECURITY-2145 / CVE-2020-2304

Subversion Plugin 2.13.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Subversion Plugin 2.13.2 disables external entity resolution for its XML parser.

XXE vulnerability in Mercurial Plugin 

SECURITY-2115 / CVE-2020-2305

Mercurial Plugin 2.11 and earlier does not configure its XML changelog parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Mercurial Plugin 2.12 disables external entity resolution for its XML parser.

Missing permission check in Mercurial Plugin 

SECURITY-2104 / CVE-2020-2306

Mercurial Plugin 2.11 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations.

Mercurial Plugin 2.12 performs permission checks when listing configured Mercurial installations.

Master environment variables accessible in Kubernetes Plugin 

SECURITY-1646 / CVE-2020-2307

Kubernetes Plugin 1.27.3 and earlier includes a feature to replace placeholders in pod template and container template fields with environment variable values.

This feature allows low-privilege users to access possibly sensitive Jenkins controller environment variables.

Kubernetes Plugin 1.27.4 disables this feature.

NOTE: The Java system property org.csanchez.jenkins.plugins.kubernetes.PodTemplateUtils.SUBSTITUTE_ENV can be set to true to restore this feature. Administrators are advised that future releases of Kubernetes Plugin will remove this feature entirely.

Missing permission check in Kubernetes Plugin allows listing pod templates 

SECURITY-2102 / CVE-2020-2308

Kubernetes Plugin 1.27.3 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to list global pod template names.

Kubernetes Plugin 1.27.4 requires Overall/Administer permission to list global pod template names.

Missing permission check in Kubernetes Plugin allows enumerating credentials IDs 

SECURITY-2103 / CVE-2020-2309

Kubernetes Plugin 1.27.3 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Kubernetes Plugin 1.27.4 requires the appropriate permissions.

Missing permission checks in Ansible Plugin allow enumerating credentials IDs 

SECURITY-1943 / CVE-2020-2310

Ansible Plugin 1.0 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Ansible Plugin 1.1 requires the appropriate permissions.

Missing permission check in AWS Global Configuration Plugin allows replacing plugin configuration 

SECURITY-2101 / CVE-2020-2311

AWS Global Configuration Plugin 1.5 and earlier does not perform a permission check in an HTTP endpoint processing form submissions.

This allows attackers with Overall/Read permission to replace the global AWS configuration.

AWS Global Configuration Plugin 1.6 properly performs permission checks when processing configuration form submissions.

Password written to the build log by SQLPlus Script Runner Plugin 

SECURITY-2129 / CVE-2020-2312

SQLPlus Script Runner Plugin 2.0.12 and earlier prints the sqlplus command invocation to the build log.

This log message does not redact a password provided as part of a command line argument. This password can be viewed by users with Item/Read permission.

SQLPlus Script Runner Plugin 2.0.13 no longer prints the password in the build log.

Missing permission checks in Azure Key Vault Plugin allow enumerating credentials IDs 

SECURITY-2110 / CVE-2020-2313

Azure Key Vault Plugin 2.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Azure Key Vault Plugin 2.1 requires the appropriate permissions.

Password stored in plain text by AppSpider Plugin 

SECURITY-2058 / CVE-2020-2314

AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file com.rapid7.jenkinspider.PostBuildScan.xml on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file system.

AppSpider Plugin 1.0.13 stores a password encrypted once its configuration is saved again.

XXE vulnerability in Visualworks Store Plugin 

SECURITY-1900 / CVE-2020-2315

Visualworks Store Plugin 1.1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with the ability to control the output of a script that run Visualworks with StoreCI, or able to control an agent process, to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Visualworks Store Plugin 1.1.4 disables external entity resolution for its XML parser.

Stored XSS vulnerability in Static Analysis Utilities Plugin 

SECURITY-1907 / CVE-2020-2316

Static Analysis Utilities Plugin 1.96 and earlier does not escape the annotation message in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

As of publication of this advisory, there is no fix.

Stored XSS vulnerability in FindBugs Plugin 

SECURITY-1918 / CVE-2020-2317

FindBugs Plugin 5.0.0 and earlier does not escape the annotation message in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to FindBugs Plugin’s post build step.

As of publication of this advisory, there is no fix.

Passwords stored in plain text by Mail Commander Plugin for Jenkins-ci Plugin 

SECURITY-2085 / CVE-2020-2318

Mail Commander Plugin for Jenkins-ci Plugin 1.0.0 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

Password stored in plain text by VMware Lab Manager Slaves Plugin 

SECURITY-2084 / CVE-2020-2319

VMware Lab Manager Slaves Plugin 0.2.8 and earlier stores a password unencrypted in the global config.xml file on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

Fix vulnerability on CloudBees Role-Based Access Control (RBAC) Plugin with doConfigDotXml()

CTR-430
When using the CloudBees Role-Based Access Control (RBAC) Plugin, any user with the Item.CONFIGURE ( or View.CONFIGURE, Computer.CONFIGURE) permission on an item was able to override the RBAC configuration of that item by uploading a new `config.xml` file, allowing them to easily escalate permissions.

To fix this vulnerability, CloudBees moved the RBAC configurations of each item (if any) from their config.xml file to a new file named nectar-rbac.xml, and saved it in the item's folder. This migration of the RBAC configurations will happen automatically on startup.

The vulnerability could not be corrected for Views, so RBAC on Views is disabled by default. It can be enabled by setting the system property nectar.plugins.rbac.groups.ViewProxyGroupContainer.enabled=true

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded 2.249.3.1-rev2

  • CloudBees Cloud Platforms should be upgraded 2.249.3.1-rev2

  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.249.3.1-rev2

  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.249.3.1-rev2

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.222.x.0.z) should be upgraded to version 2.222.42.0.1-rev5

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.190.x.0.z) should be upgraded to version 2.190.33.0.2-rev5