Jenkins Security Advisory 2014-04-01

This advisory announces multiple security vulnerabilities that were found in Jenkins Enterprise by CloudBees plugins.

RM-2332 / CVE-2014-2661

The CloudBees Backup plugin allowed any Jenkins user able to create a job (and make an SFTP or WebDAV server accessible to the Jenkins server) to obtain full backups, including secrets as in RM-1337, but also job configurations (whether or not they normally had access to those jobs), and various system configuration files that might be confidential.

RM-2342

The CloudBees Role-Based Access Control plugin neglected to enforce POST method on some web accesses, potentially allowing an attacker to trick a Jenkins administrator into visiting a crafted web page which could change group membership or similar security settings. Additionally, some web requests could leak the names of users or groups in an external security realm to unprivileged users.

Severity: 

RM-2332 is rated critical, since it allows users to bypass job configuration and other access control restrictions, and in conjunction with RM-1337 allows for an escalation of privileges.

RM-2342 is rated as medium, since a CSRF attack is passive. Leaked member names are also not in and of themselves a threat in most installations.

Fix: 

Users of Jenkins Enterprise by CloudBees (any version) should upgrade the CloudBees Backup plugin to (at least) version 3.11. Any existing backups which are kept on a medium less secure than $JENKINS_HOME itself should be destroyed, or the secrets/master.key and identity.key entries removed from them. secrets/master.key and identity.key do need to be backed up, but are small and should ideally be kept on a separate and more secure medium (once created they never change); administrators are encouraged to select the new option Omit master key and then manually make copies of these files. Existing backup projects in a secured installation will not be able to run unless and until a Jenkins administrator resaves their configuration.

Users of Jenkins Enterprise by CloudBees (any version) should upgrade the CloudBees Role-Based Access Control plugin to (at least) version 4.5.1.