Jenkins Security Advisory 2017-03-20
This advisory announces vulnerabilities in these Jenkins plugins:
- Active Directory
- Email Extension (Email-ext)
- Pipeline: Classpath Step
- SSH Slaves
SSH Slaves Plugin did not verify host keys
SECURITY-161 / CVE-2017-2648
The SSH Slaves Plugin did not perform host key verification, thereby enabling Man-in-the-Middle attacks.
Active Directory Plugin did not verify certificate of AD server
SECURITY-251 / CVE-2017-2649
The Active Directory Plugin did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks.
Pipeline: Classpath Step plugin allowed Script Security sandbox bypass
SECURITY-336 / CVE-2017-2650
Use of this plugin enables a bypass of the Script Security sandbox for users with SCM commit access, as well as users with e.g. Job/Configure permission in Jenkins.
Emails were sent to addresses not associated with actual users of Jenkins by Mailer Plugin and Email Extension Plugin
SECURITY-372 / CVE-2017-2651 (Mailer) and CVE-2017-2654 (Email Extension)
The Mailer and Email Extension Plugins are able to send emails to a dynamically created list of users based on the changelogs, like authors of SCM changes since the last successful build.
This could in some cases result in emails being sent to people who have no user account in Jenkins, and in rare cases even people who were not involved in whatever project was being built, due to some mapping based on the local-part of email addresses.
Missing permission checks in Distributed Fork Plugin
SECURITY-386 / CVE-2017-2652
There were no permission checks performed in the Distributed Fork plugin that provides the dist-fork CLI command beyond the basic check for Overall/Read permission, allowing anyone with that permission to run arbitrary shell commands on all connected nodes.
- Active Directory Plugin should be updated to version 2.3.
- DistFork Plugin should be updated to version 1.6.0.
- Email Extension (email-ext) Plugin should be updated to version 2.57.1.
- Mailer Plugin should be updated to version 1.20.
- SSH Slaves Plugin should be updated to version 1.15.
- Pipeline: Classpath Step Plugin should be disabled or uninstalled, and its uses replaced by the Pipeline libraries feature. No fix for this plugin is currently planned.
These versions include fixes to the vulnerabilities described above. All prior versions are affected by these vulnerabilities unless otherwise noted.