CloudBees Security Advisory 2023-02-09

This advisory announces vulnerabilities in CloudBees CI and CloudBees Jenkins Platform

Git releases with critical vulnerabilities on CloudBees CI Docker images 

SECURITY-3039 / CVE-2022-23521 and CVE-2022-41903
Severity (CVSS): Critical
Description:

CloudBees provides Docker images for CloudBees CI platform. These Docker images include the git command line tool to interact with Git repositories.

Git releases published before 2023-01-17 are affected by the vulnerabilities CVE-2022-23521 and CVE-2022-41903. In the context of CloudBees CI, the former vulnerability could be exploited through crafted repository contents, allowing an attacker with commit access to a Git repository cloned on a controller or agent to achieve remote code execution.

Building software is the primary use case for CloudBees CI. To accomplish that, CloudBees CI invokes build scripts containing user-specified code, usually retrieved from an SCM like Git. As a result, this vulnerability only has a real impact in very narrow circumstances: when attackers can control repository contents, but are unable to change build steps, Jenkinsfiles, test code that gets executed by CloudBees CI, or similar.

A new version of these images with the proper Git 2.31.1-3 has been released.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.375.3.4

  • CloudBees Cloud Platforms should be upgraded to 2.375.3.4

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.346.x.0.z)) should be upgraded to 2.346.40.0.8

NOTE: Customers would need to update the image version in their build pod definitions