CloudBees Security Advisory 2019-01-16
This advisory announces multiple vulnerabilities in Jenkins , CloudBees Jenkins Platform and CloudBees Jenkins Solutions .
Administrators could persist access to Jenkins using crafted 'Remember me' cookie
SECURITY-868
Users with the Overall/RunScripts permission (typically administrators) were able to use the Jenkins script console to craft a 'Remember me' cookie that would never expire.
This allowed attackers access to a Jenkins instance while the corresponding user in the configured security realm exists, for example to persist access after another successful attack.
Jenkins now encodes a per-user seed value in 'Remember me' cookies that is invalidated when the user password in the Jenkins user database is changed, the user record in Jenkins is deleted, or when all sessions for a given user are terminated through a new feature on the user’s configuration page.
Deleting a user in an external security realm did not invalidate their session or 'Remember me' cookie
SECURITY-901
When using an external security realm such as LDAP or Active Directory, deleting a user from the security realm does not result in the user losing access to Jenkins.
While deleting the user record from Jenkins did invalidate the 'Remember me' cookie, there was no way to invalidate active sessions besides restarting Jenkins or terminating sessions through other means, such as Monitoring Plugin.
Jenkins now encodes a per-user seed value in sessions, 'Remember me' cookies, and cached authentications of the remoting-based CLI, that can manually be reset by a user themselves, or an administrator, on the user’s configuration page. Doing so will invalidate all current sessions, 'Remember me' cookies, and cached CLI authentications, requiring credentials to be entered again to authenticate. Deleting a user record in Jenkins will now also invalidate existing sessions, as the current seed value is deleted as well.