CloudBees Security Advisory 2014-10-01
This advisory announces:
multiple security vulnerabilities that were found in Jenkins core.
two security vulnerabilities found in the monitoring plugin
Affected Versions:
All the Jenkins releases <= 1.582
All the LTS releases <= 1.565.2
Monitoring plugin <= 1.52.1
Jenkins Enterprise by CloudBees 1.565.1.1 up to 1.565.2.x, 1.554.1.1 up to 1.554.9.x, and 1.532.1.1 up to 1.532.9.x
SECURITY-87/CVE-2014-3661 (anonymous DoS attack through CLI handshake)
This vulnerability allows unauthenticated users with access to Jenkins' HTTP/HTTPS port to mount a DoS attack on Jenkins through thread exhaustion.
SECURITY-110/CVE-2014-3662 (User name discovery)
Anonymous users can test if the user of a specific name exists or not through login attempts.
SECURITY-127&128/CVE-2014-3663 (privilege escalation in job configuration permission)
An user with a permission limited to Job/CONFIGURE can exploit this vulnerability to effectively create a new job, which should have been only possible for users with Job/CREATE permission, or to destroy jobs that he/she does not have access otherwise.
SECURITY-131/CVE-2014-3664 (directory traversal attack)
Users with Overall/READ permission can access arbitrary files in the file system readable by the Jenkins process, resulting in the exposure of sensitive information, such as encryption keys.
SECURITY-138/CVE-2014-3680 (Password exposure in DOM)
If a parameterized job has a default value in a password field, that default value gets exposed to users with Job/READ permission.
SECURITY-143/CVE-2014-3681 (XSS vulnerability in Jenkins core)
Reflected cross-site scripting vulnerability in Jenkins core. An attacker can navigate the user to a carefully crafted URL and have the user execute unintended actions.
SECURITY-150/CVE-2014-3666 (remote code execution from CLI)
Unauthenticated user can execute arbitrary code on Jenkins master by sending carefully crafted packets over the CLI channel.
SECURITY-155/CVE-2014-3667 (exposure of plugin code)
Programs that constitute plugins can be downloaded by anyone with the Overall/READ permission, resulting in the exposure of otherwise sensitive information, such as hard-coded keys in plugins, if any.
SECURITY-159/CVE-2013-2186 (arbitrary file system write)
Security vulnerability in commons fileupload allows unauthenticated attacker to upload arbitrary files to Jenkins master.
SECURITY-113/CVE-2014-3678 (XSS vulnerabilities in monitoring plugin)
Monitoring plugin allows an attacker to cause a victim into executing unwanted actions on Jenkins instance.
SECURITY-113/CVE-2014-3679 (hole in access control)
Certain pages in monitoring plugin are visible to anonymous users, allowing them to gain information that they are not supposed to.
Severity
SECURITY-87 is rated medium , as it results in the loss of functionality.
SECURITY-110 is rated medium , as it results in a limited amount of information exposure.
SECURITY-127 and SECURITY-128 are rated high . The former can be used to further escalate privileges, and the latter results in loss of data.
SECURITY-131 and SECURITY-138 is rated critical . This vulnerabilities results in exposure of sensitie information and is easily exploitable.
SECURITY-143 is rated high . It is a passive attack, but it can result in a compromise of Jenkins master or loss of data.
SECURITY-150 is rated critical . This attack can be mounted by any unauthenticated anonymous user with HTTP reachability to Jenkins instance, and results in remote code execution on Jenkins.
SECURITY-155 is rated medium . This only affects users who have installed proprietary plugins on publicly accessible instances, which is relatively uncommon.
SECURITY-159 is rated critical . This attack can be mounted by any unauthenticated anonymous user with HTTP reachability to Jenkins instance.
SECURITY-113 is rated high . It is a passive attack, but it can result in a compromise of Jenkins master or loss of data.
Fix
Main line users should upgrade to Jenkins 1.583
LTS users should upgrade to 1.565.3
Jenkins Enterprise by CloudBees users should upgrade to either 1.565.3.1, 1.554.10.1, or 1.532.10.1 (depending on release lines)
Jenkins Operations Center by CloudBees users should upgrade to 1.554.10.1
DEV@cloud users need not take any actions. Your instances are being patched and upgraded.