Jenkins Security Advisory 2016-02-24
This advisory announces multiple vulnerabilities in Jenkins.
Remote code execution vulnerability in remoting module
SECURITY-232 / CVE-2016-0788
A vulnerability in the Jenkins remoting module allowed unauthenticated remote attackers to open a JRMP listener on the server hosting the Jenkins master process, which allowed arbitrary code execution.
HTTP response splitting vulnerability
SECURITY-238 / CVE-2016-0789
An HTTP response splitting vulnerability in the CLI command documentation allowed attackers to craft Jenkins URLs that serve malicious content.
Non-constant time comparison of API token
SECURITY-241 / CVE-2016-0790
The verification of user-provided API tokens with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid API tokens using brute-force methods.
Non-constant time comparison of CSRF crumbs
SECURITY-245 / CVE-2016-0791
The verification of user-provided CSRF crumbs with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid CSRF crumbs using brute-force methods.
Remote code execution through remote API
SECURITY-247 / CVE-2016-0792
Jenkins has several API endpoints that allow low-privilege users to POST XML files that then get deserialized by Jenkins. Maliciously crafted XML files sent to these API endpoints could result in arbitrary code execution.
- SECURITY-232 is considered critical as it allows unprivileged attackers to execute arbitrary code in many configurations.
- SECURITY-238 is considered medium as it allows unprivileged attackers to send maliciously crafted links that result e.g. in XSS to victims.
- SECURITY-241 is considered high as it allows unprivileged attackers to brute-force valid login credentials.
- SECURITY-245 is considered medium as it allows unprivileged attackers to brute-force CSRF protection.
- SECURITY-247 is considered high as it allows low-privilege attackers to execute arbitrary code on the Jenkins master.
The following versions incorporate fixes to the vulnerabilities found in Jenkins:
- CloudBees Jenkins Operations Center 1.625.x.y should be upgraded to 1.625.16.1
- CloudBees Jenkins Operations Center 1.609.x.y should be upgraded to 1.609.16.1
- CloudBees Jenkins Enterprise 1.642.x.y should be upgraded to 1.642.2.1
- CloudBees Jenkins Enterprise 1.625.x.y should be upgraded to 1.625.16.1
- CloudBees Jenkins Enterprise 1.609.x.y should be upgraded to 1.609.16.1
- Jenkins LTS should be upgraded to 1.642.2
- Jenkins main line should be upgraded to Jenkins 1.650
- DEV@cloud is already protected
All prior versions are affected by these vulnerabilities.