CloudBees Security Advisory 2020-12-03

This advisory announces vulnerabilities in CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees CI

Missing CSRF and Permission Check Leading to SSRF

CTR-2797

CloudBees fixed a cross-site request forgery(CSRF) issue in the Client Master URL connection field on the Operations Center Client Master item manage page and added a new permission check.

Groups on items and nodes are ignored after the RBAC migration until the next restart

CTR-2757

Groups on items and nodes are ignored after the RBAC migration until the next restart

Groups are not available on items after the RBAC migration until the next restart. Customers will either experience a lack of permissions or an increase depending on the their permission configuration strategy (either adding more permissions in folders or to filter roles)

High Availability Status page unprotected

CTR-2364

The HA status page was not protected allowing anyone to view the status of a cluster

With this change, only those with Administer permissions are able to see the HA status page

Permissions are not correctly applied if RBAC on Views is disabled

CTR-2748

Since the November rolling release (2.249.3.1), it's not possible to define groups on views, so the expected permissions set should be coming from the view's parent item. However there was a bug which made the permission set to be the root one (ie. whatever is defined at root level).

This fix is making the view use the permission set coming from the view's owner. So if the view is inside a folder, then the folder groups and roles are applied. Or if the view is on the root level, the global groups and roles are applied.

RBAC on nested connected masters, shared agent, shared cloud and shared configuration are not migrated

CTR-2742,CTR-2740

A previous version update caused an issue with Operations Center items in nested folders RBAC configurations. This version corrects this Operations Center items in nested folders RBAC configurations issue by performing an additional migration of the RBAC configuration for all the OC items in the Jenkins instance not just the items defined at the top level

Upgraded Script Security plugin dependency

CTR-2238

The Script Security groovy-sandbox library dependency was included as version 1.20 which contains vulnerabilities.

With this fix, the Script Security plugin does not include the groovy-sandbox library dependency as version 1.20.

CVE-2017-18640 Located in bluesteel-cjoc.hpi Dependency SnakeYAML 1.10

CTR-2511

The snakeyaml:1.10 library contains a known security vulnerability.


With this change we are removing the dependency on that library.

Upgrade notes:
IMPORTANT - By removing the Snakeyaml dependency we are also removing old migration code, which means updates from versions of this plugin older than 1.1.0 (3 years old) will require a multistep upgrade.

The multistep upgrade involves two steps:
. Update to a version previous to this one.
. Update to this version.

If users skip a step in the multistep process, they could incur data loss.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded 2.263.1.2

  • CloudBees Cloud Platforms should be upgraded 2.263.1.2

  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.263.1.2

  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.263.1.2

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.222.x.0.z) should be upgraded to version 2.222.42.0.3

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.190.x.0.z) should be upgraded to version 2.190.33.0.4