CloudBees Security Advisory 2018-02-26

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

SECURITY-248 - Environment Injector Plugin before 1.91 stored sensitive build variables

EnvInject plugin stores environment variables in order to visualize them in the "Injected Environment Variables" view. Sensitive build variables, typically passwords, are exempt from this behavior. Plugin versions older than 1.91 (released on Mar 08, 2015) however did not exempt sensitive variables, and persisted them on disk too. Such persisted sensitive variables may be displayed by any release of this plugin for builds run before it was updated to version 1.91 or newer. While the bug persisting sensitive build variables has been addressed in release 1.91, there is no fix addressing this problem for historical build data. You may be affected by this sensitive data exposure issue if all of the following are true:

  • You define sensitive environment variables globally, per node, or per job.

  • You have ever used Environment Injector Plugin 1.90 or older.

  • You still have build records created while Environment Injector Plugin 1.90 or older was installed and enabled.

To prevent the further exposure of sensitive build variables, we recommend that you take the following steps if you are affected by this:

  • Disable the visualization of Injected Environment variables in the global configuration. After this change the data will be accessible only to those ones who have access to raw build.xml files. This is a reversible action that can be applied immediately, and can be reverted once you've purged the data on disk (below).

  • Remove the sensitive data from disk by manually removing corresponding entries from injectedEnvVars.txt files, or deleting the injectedEnvVars.txt files in old build directories.

  • Rotate all secrets that have potentially been exposed.

SECURITY-260 - Coverity Plugin stored keystore and private key passwords in plain text

The Coverity Plugin stored passwords unencrypted as part of its configuration. This allowed users with Jenkins master local file system access and Jenkins administrators to retrieve the stored password. The latter could result in exposure of the passwords through browser extensions, cross-site scripting vulnerabilities, and similar situations.

The Coverity Plugin now integrates with Credentials Plugin to store passwords, and automatically migrates existing passwords.

SECURITY-402 - Improper access control in Gerrit Trigger Plugin allowed unauthorized users to read some server configuration information

Missing permission checks in Gerrit Trigger Plugin allowed users with Overall/Read permission to access a form that showed the configuration of Gerrit servers in Jenkins. The key file password was only shown in its encrypted form, if configured. Other options were plainly visible.

The missing permission check has been added.

SECURITY-403 - Improper access control in Gerrit Trigger Plugin allowed unauthorized users to modify global Gerrit Server configurations

Missing permission checks in Gerrit Trigger Plugin allowed users with Overall/Read permission to perform the following actions

  • Configure Gerrit servers

  • Connect and disconnect configured Gerrit servers

The missing permission checks have been added.

SECURITY-498 - Improper access control allowed users without ManageOwnership permission to change job ownership metadata in Job and Node ownership Plugin

Job and Node ownership Plugin did not prevent the ownership metadata being overwritten when a job or node configuration was updated from the CLI or using the remote API (POST config.xml ). This allowed users with Job/Configure permission but without ManageOwnership/Jobs permission to change job ownership metadata, and users with Computer/Configure but without ManageOwnership/Nodes to change node ownership metadata.

  • Changes to job or node ownership metadata via remote API now require ManageOwnership/Jobs or ManageOwnership/Nodes permission, respectively.

  • Changes to job or node ownership via CLI require Overall/Administer permission.

SECURITY-554 - Azure Slave Plugin bundled outdated httpclient library with denial of service vulnerability

The Azure Slave Plugin bundles a version of the httpclient library that is vulnerable to CVE-2015-5262 .

As the plugin has been deprecated in favor of Azure VM Agents Plugin in 2016, there are no plans to release a fix. It has been removed from distribution per request by the former maintainers.

SECURITY-712 - Reflected cross-site-scripting vulnerability in report URL of CppNCSS Plugin

CppNCSS Plugin did not properly escape the report name and graph name, resulting in a reflected cross-site scripting vulnerability.

Report name and graph name are now properly escaped.

SECURITY-715 - Unprivileged users are able to enumerate credential IDs in Google Play Android Publisher Plugin

Google Play Android Publisher Plugin provides a list of applicable credential IDs to allow users configuring a job to select the one they'd like to use to authenticate with the Google Play API. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credential IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

Additionally, a related form validation function would allow verification whether a specified credential is valid for use with the Google Play API.

Enumeration of credentials IDs and validation of specified credentials in this plugin now requires the permission to have the ExtendedRead permission (when that permission is enabled; otherwise Configure permission) to the job in whose context credentials are being accessed.

SECURITY-723 - Disclosure of user names and node names to unauthorized users through post-commit hook URL in Git Plugin

The class handling unauthenticated Git post-commit hook notification requests at the /git/ path unnecessarily extended another type that handled requests to the .../search/ sub-path.

This allowed submission of search queries to Jenkins, and getting a list of search results usually available to anyone with Overall/Read permission. In current Jenkins releases, those are typically the names of known users (both actual users of Jenkins, and known SCM committers) and nodes (master and agents).

The class handling requests to /git/ no longer extends the class handling requests to the .../search/ sub-path, therefore any such requests will fail.

SECURITY-724 - Disclosure of user names and node names to unauthorized users through post-commit hook URL in Subversion Plugin

The class handling unauthenticated Subversion post-commit hook notification requests at the +/subversion/+ path unnecessarily extended another type that handled requests to the .../search/ sub-path.

This allowed submission of search queries to Jenkins, and getting a list of search results usually available to anyone with Overall/Read permission. In current Jenkins releases, those are typically the names of known users (both actual users of Jenkins, and known SCM committers) and nodes (master and agents).

The class handling requests to /subversion/ no longer extends the class handling requests to the .../search/ sub-path, therefore any such requests will fail.

SECURITY-726 - Disclosure of user names and node names to unauthorized users through post-commit hook URL in Mercurial Plugin

The class handling unauthenticated Mercurial post-commit hook notification requests at the /mercurial/ path unnecessarily extended another type that handled requests to the .../search/ sub-path.

This allowed submission of search queries to Jenkins, and getting a list of search results usually available to anyone with Overall/Read permission. In current Jenkins releases, those are typically the names of known users (both actual users of Jenkins, and known SCM committers) and nodes (master and agents).

The class handling requests to /mercurial/ no longer extends the class handling requests to the .../search/ sub-path, therefore any such requests will fail.

SECURITY-731 - Stored cross-site scripting vulnerability in TestLink Plugin

Users with Job/Configure permission were able to configure TestLink reports to display arbitrary unescaped HTML e.g. in test case names.

The plugin now properly escapes its HTML output.

SECURITY-746 - Promoted Builds Plugin allowed unauthorized users to run some promotion processes

Users with Job/Read access were able to approve and re-execute promotion processes with a manual promotion condition that did not specify a list of users allowed to manually approve the promotion.

The plugin now requires users to have the Promotion/Promote permission to be able to approve or re-execute a promotion with manual condition that does not specify a list of users allowed to approve it.

The following additional changes to permission enforcement were implemented in this update to make condition enforcement consistent for the three actions Approve, Re-Execute, and Force:

NOTE: Some of these changes allow users to act on some promotions they were not able to act on in 2.x releases of this plugin.

  • Users with just the Promotion/Promote permission are no longer allowed to re-execute or force promotions with a manual condition that specifies a list of users, unless the user is on that list.

  • Administrators are now able to approve any promotion with a manual condition.

  • Users specified in a manual promotion condition are now allowed to force this promotion.

Severity

Fix

  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.89.4.2 revision 2

  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master 2.x.y.z) should be upgraded to version 2.89.4.2 revision 2

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master 2.73.x.0.z) should be upgraded to version 2.73.30.0.1 revision 2

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master 2.46.x.0.y) should be upgraded to version 2.46.30.0.1 revision 2

  • CloudBees Jenkins Team should be upgraded to version 2.89.4.2 revision 2

  • DEV@cloud is already protected