CloudBees Security Advisory 2016-02-25

This advisory announces multiple vulnerabilities in Jenkins.

Remote code execution vulnerability in remotingmodule

SECURITY-232 / CVE-2016-0788

A vulnerability in the Jenkins remoting module allowed unauthenticated remote attackers to open a JRMP listener on the server hosting the Jenkins master process, which allowed arbitrary code execution.

HTTP response splitting vulnerability

SECURITY-238 / CVE-2016-0789

An HTTP response splitting vulnerability in the CLI command documentation allowed attackers to craft Jenkins URLs that serve malicious content.

Non-constant time comparison of API token

SECURITY-241 / CVE-2016-0790

The verification of user-provided API tokens with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid API tokens using brute-force methods.

Non-constant time comparison of CSRF crumbs

SECURITY-245 / CVE-2016-0791

The verification of user-provided CSRF crumbs with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid CSRF crumbs using brute-force methods.

Remote code execution through remote API

SECURITY-247 / CVE-2016-0792

Jenkins has several API endpoints that allow low-privilege users to POST XML files that then get deserialized by Jenkins. Maliciously crafted XML files sent to these API endpoints could result in arbitrary code execution.

Severity

  • SECURITY-232 is considered critical as it allows unprivileged attackers to execute arbitrary code in many configurations.

  • SECURITY-238 is considered medium as it allows unprivileged attackers to send maliciously crafted links that result e.g. in XSS to victims.

  • SECURITY-241 is considered high as it allows unprivileged attackers to brute-force valid login credentials.

  • SECURITY-245 is considered medium as it allows unprivileged attackers to brute-force CSRF protection.

  • SECURITY-247 is considered high as it allows low-privilege attackers to execute arbitrary code on the Jenkins master.

Fix

The following versions incorporate fixes to the vulnerabilities found in Jenkins:

  • CloudBees Jenkins Operations Center 1.625.x.y should be upgraded to 1.625.16.1

  • CloudBees Jenkins Operations Center 1.609.x.y should be upgraded to 1.609.16.1

  • CloudBees Jenkins Enterprise 1.642.x.y should be upgraded to 1.642.2.1

  • CloudBees Jenkins Enterprise 1.625.x.y should be upgraded to 1.625.16.1

  • CloudBees Jenkins Enterprise 1.609.x.y should be upgraded to 1.609.16.1

  • Jenkins LTS should be upgraded to 1.642.2

  • Jenkins main line should be upgraded to Jenkins 1.650

  • DEV@cloud is already protected

All prior versions are affected by these vulnerabilities.

More Security Advisories
Capabilities
Resources
Why CloudBees
© 2023 CloudBees, Inc., CloudBees® and the Infinity logo® are registered trademarks of CloudBees, Inc. in the United States and may be registered in other countries. Other products or brand names may be trademarks or registered trademarks of CloudBees, Inc. or their respective holders. Jenkins® is a registered trademark of LF Charities Inc.
Privacy PolicyTerms of ServiceCloudBees Vulnerability Reporting