Jenkins Security Advisory 2016-02-24

This advisory announces multiple vulnerabilities in Jenkins.

Remote code execution vulnerability in remoting module

SECURITY-232 / CVE-2016-0788

A vulnerability in the Jenkins remoting module allowed unauthenticated remote attackers to open a JRMP listener on the server hosting the Jenkins master process, which allowed arbitrary code execution.

HTTP response splitting vulnerability

SECURITY-238 / CVE-2016-0789

An HTTP response splitting vulnerability in the CLI command documentation allowed attackers to craft Jenkins URLs that serve malicious content.

Non-constant time comparison of API token

SECURITY-241 / CVE-2016-0790

The verification of user-provided API tokens with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid API tokens using brute-force methods.

Non-constant time comparison of CSRF crumbs

SECURITY-245 / CVE-2016-0791

The verification of user-provided CSRF crumbs with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid CSRF crumbs using brute-force methods.

Remote code execution through remote API

SECURITY-247 / CVE-2016-0792

Jenkins has several API endpoints that allow low-privilege users to POST XML files that then get deserialized by Jenkins. Maliciously crafted XML files sent to these API endpoints could result in arbitrary code execution.

Severity: 
  • SECURITY-232 is considered critical as it allows unprivileged attackers to execute arbitrary code in many configurations.
  • SECURITY-238 is considered medium as it allows unprivileged attackers to send maliciously crafted links that result e.g. in XSS to victims.
  • SECURITY-241 is considered high as it allows unprivileged attackers to brute-force valid login credentials.
  • SECURITY-245 is considered medium as it allows unprivileged attackers to brute-force CSRF protection.
  • SECURITY-247 is considered high as it allows low-privilege attackers to execute arbitrary code on the Jenkins master.

 

Fix: 

The following versions incorporate fixes to the vulnerabilities found in Jenkins:

  • CloudBees Jenkins Operations Center 1.625.x.y should be upgraded to 1.625.16.1
  • CloudBees Jenkins Operations Center 1.609.x.y should be upgraded to 1.609.16.1
  • CloudBees Jenkins Enterprise 1.642.x.y should be upgraded to 1.642.2.1
  • CloudBees Jenkins Enterprise 1.625.x.y should be upgraded to 1.625.16.1
  • CloudBees Jenkins Enterprise 1.609.x.y should be upgraded to 1.609.16.1
  • Jenkins LTS should be upgraded to 1.642.2
  • Jenkins main line should be upgraded to Jenkins 1.650
  • DEV@cloud is already protected

All prior versions are affected by these vulnerabilities.