CloudBees Security Advisory 2016-02-25
This advisory announces multiple vulnerabilities in Jenkins.
Remote code execution vulnerability in remotingmodule
SECURITY-232 / CVE-2016-0788
A vulnerability in the Jenkins remoting module allowed unauthenticated remote attackers to open a JRMP listener on the server hosting the Jenkins master process, which allowed arbitrary code execution.
HTTP response splitting vulnerability
SECURITY-238 / CVE-2016-0789
An HTTP response splitting vulnerability in the CLI command documentation allowed attackers to craft Jenkins URLs that serve malicious content.
Non-constant time comparison of API token
SECURITY-241 / CVE-2016-0790
The verification of user-provided API tokens with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid API tokens using brute-force methods.
Non-constant time comparison of CSRF crumbs
SECURITY-245 / CVE-2016-0791
The verification of user-provided CSRF crumbs with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid CSRF crumbs using brute-force methods.
Remote code execution through remote API
SECURITY-247 / CVE-2016-0792
Jenkins has several API endpoints that allow low-privilege users to POST XML files that then get deserialized by Jenkins. Maliciously crafted XML files sent to these API endpoints could result in arbitrary code execution.
Severity
SECURITY-232 is considered critical as it allows unprivileged attackers to execute arbitrary code in many configurations.
SECURITY-238 is considered medium as it allows unprivileged attackers to send maliciously crafted links that result e.g. in XSS to victims.
SECURITY-241 is considered high as it allows unprivileged attackers to brute-force valid login credentials.
SECURITY-245 is considered medium as it allows unprivileged attackers to brute-force CSRF protection.
SECURITY-247 is considered high as it allows low-privilege attackers to execute arbitrary code on the Jenkins master.
Fix
The following versions incorporate fixes to the vulnerabilities found in Jenkins:
CloudBees Jenkins Operations Center 1.625.x.y should be upgraded to 1.625.16.1
CloudBees Jenkins Operations Center 1.609.x.y should be upgraded to 1.609.16.1
CloudBees Jenkins Enterprise 1.642.x.y should be upgraded to 1.642.2.1
CloudBees Jenkins Enterprise 1.625.x.y should be upgraded to 1.625.16.1
CloudBees Jenkins Enterprise 1.609.x.y should be upgraded to 1.609.16.1
Jenkins LTS should be upgraded to 1.642.2
Jenkins main line should be upgraded to Jenkins 1.650
DEV@cloud is already protected
All prior versions are affected by these vulnerabilities.