This advisory announces multiple security vulnerabilities that were found in Jenkins core.
One of the vulnerabilities allows cross-site request forgery (CSRF) attacks on Jenkins master, which causes a user to make unwanted actions on Jenkins. Another vulnerability enables cross-site scripting (XSS) attacks, which has a similar consequence. Another vulnerability allows an attacker to bypass the CSRF protection mechanism in place, thereby mounting more CSRF attackes. These attacks allow an attacker without direct access to Jenkins to mount an attack.
In the fourth vulnerability, a malicious user of Jenkins can trick Jenkins into building jobs that they do not have direct access to.
And lastly, a vulnerability allows a malicious user of Jenkins to mount a denial of service attack by feeding a carefully crafted payload to Jenkins.
The first three vulnerabilities (CSRF and XSS) are rated as high, as they allow malicious users to gain unauthorized access to the information and impersonate the administrator of the system. In addition, this allows Jenkins inside a firewall to be attacked from outside. On the other hand, this attack can only be mounted passively, and the attacker needs to know the URL of your Jenkins installations.
The build privilege escalation vulnerability is rated as medium, as it requires an attacker to be a valid user of Jenkins, with write access.
The last denial of service attack is rated low, as it also requires an attacker to be a valid user of Jenkins with write access, and this does not result in any data loss nor privilege escalation.
- Main line users should upgrade to Jenkins 1.502
- LTS users should upgrade to 1.480.3
- Users of Jenkins Enterprise by CloudBees 1.447.x should upgrade to 1.447.7.1
- Users of Jenkins Enterprise by CloudBees 1.466.x should upgrade to 1.466.13.1
- Users of Jenkins Enterprise by CloudBees 1.480.x should upgrade to 1.480.3.1
- Fix has already been deployed to DEV@cloud
All the prior versions are affected by these vulnerabilities.
As a part of the fix, these versions contain the following incompatible changes. Administrators of Jenkins need to be aware of the following implications of the upgrade:
- JSONP support in Remote access API is removed. If you have other programs that depend on this behavior, you can set the hudson.model.Api.INSECURE system property to true, to resurrect behaviour. However, this is highly discouraged.
- If your Jenkins does not have the security enabled, some of the Remote access API calls that previously didn’t require POST now require it. See the “CSRF Protection” section of the remote access API page for how to add necessary header.