CloudBees Security Advisory 2021-06-30

This advisory announces vulnerabilities in Jenkins, Cloudbees and CloudBees Jenkins Platform

Improper permission checks allow canceling queue items and aborting builds 

SECURITY-2278 / CVE-2021-21670

Jenkins 2.299 and earlier, LTS 2.289.1 and earlier, CloudBees CI 2.289.1.2, CloudBees CI 2.249.31.0.5 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.

Jenkins 2.300, LTS 2.289.2, CloudBees CI 2.289.2.2, CloudBees CI 2.249.31.0.6 and CloudBees CI 2.277.40.0.1 requires that users have Item/Read permission for applicable types in addition to Item/Cancel permission.

As a workaround on earlier versions of Jenkins, do not grant Item/Cancel permission to users who do not have Item/Read permission.

Session fixation vulnerability 

SECURITY-2371 / CVE-2021-21671

Jenkins 2.299 and earlier, LTS 2.289.1 and earlier, CloudBees CI 2.289.1.2 and earlier, CloudBees CI 2.249.31.0.5 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins.

This vulnerability was introduced in Jenkins 2.266 and LTS 2.277.1.

Jenkins 2.300, LTS 2.289.2, CloudBees CI 2.289.2.2, CloudBees 2.249.31.0.6, CloudBees 2.277.40.0.1 invalidates the existing session on login.

NOTE: In case of problems, administrators can choose a different implementation by setting the Java system property hudson.security.SecurityRealm.sessionFixationProtectionMode to 2, or disable the fix entirely by setting that system property to 0.

Credit 

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Angélique Jard, CloudBees, Inc. for SECURITY-2278

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded 2.289.2.2

  • CloudBees Cloud Platforms should be upgraded 2.289.2.2

  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.289.2.2

  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.289.2.2

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.249.x.0.z) should be upgraded to version 2.249.31.6

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.277.x.0.z) should be upgraded to version 2.277.40.0.1