CloudBees Security Advisory 2020-06-02

This advisory announces vulnerabilities in CloudBees Jenkins Platform and CloudBees Core.

Teams security model pushes rbac roles even when RBAC is not enabled

BEE-177

Fix RBAC role definitions were pushed to connected clients even when RBAC was not being used.

CSRF Vulnerabilities in Cloudbees-Support Plugin

BEE-2048

Protects the plugin against unauthorized deactivation of data collections for IO performance and TCP agent monitoring subsystem.

CSRF Vulnerability in Cloudbees-Assurance Plugin

BEE-2047

Problem: CloudBees Assurance Plugin 2.276.0.2 and earlier does not require POST requests for the form submission endpoint reconfiguring the update center, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to configure the default update center removing the one already applied.

Fix Description: CloudBees Assurance Plugin 2.276.0.3 requires POST requests for the reconfigure HTTP endpoint.

BasicDefaultsProvider contributes with an invalid rbac configuration

BEE-3042

BasicDefaultsProvider contributed invalid roles to the default configuration. Generic, disabled, and dangerous permissions are now filtered out when creating the default rbac roles configuration.

Severity

• BEE-177: Medium

• BEE-2048: Medium

• BEE-2047: Medium

• BEE-3042: Medium

Fix

• CloudBees Traditional Platforms should be upgraded 2.289.1.2

• CloudBees Cloud Platforms should be upgraded 2.289.1.2

• CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.289.1.2

• CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.249.31.0.5