CloudBees Security Advisory 2020-11-25

This advisory announces vulnerabilities in CloudBees Jenkins Platform

In June we published a security advisory in which we mentioned fixing 3 CSRF vulnerabilities (CTR-1643, CTR-1644 and CTR-1645). We stated that these vulnerabilities were fixed in 2.235.1.2 and the fixed line 2.190.31.0.2 rev6. In fact, those releases contained those fixes as notified.

However, these vulnerabilities should have also been fixed in the subsequent releases of the 2.222 fixed line, but were not included due to a newly discovered issue with our release process . Specifically, the following releases should have included these fixes, but did not:

  • 2.222.41.0.1

  • 2.222.42.0.1

  • 2.222.42.0.2

Upon discovering this omission, we immediately analysed the impact of this to our customers. We have confirmed that only these 3 issues (CTR-1643, CTR-1644 and CTR-1645) were omitted from those releases

We are producing a new security incremental (2.222.42.0.2 rev2) to address these vulnerabilities and we strongly recommend customers update to this version. We are treating this as a major incident and are already taking actions to fix the identified issue in our release process so that this cannot happen again.

Please accept our sincere apologies for this omission.

CSRF in Miscellaneous Configuration Container Configuration

CTR-1643

We fixed a Cross-Site Request Forgery (CSRF) issue in Configuration Container configuration.

CSRF in Client Master Manage > Push Configuration

CTR-1644

We fixed a Cross-Site Request Forgery (CSRF) issue in Client Master configuration.

CSRF in Shared Agent Configuration

CTR-1645

We fixed a Cross-Site Request Forgery (CSRF) issue in Shared Agent configuration.

Severity

Fix

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.222.x.0.z) should be upgraded to version 2.222.42.0.2-rev2