-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
Jenkins Security Advisory 2015-11-11
12 November 2015
AusCERT Security Bulletin Summary
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Existing Account
Cross-site Request Forgery -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Existing Account
Unauthorised Access -- Existing Account
CVE Names: CVE-2015-5326 CVE-2015-5325 CVE-2015-5324
CVE-2015-5323 CVE-2015-5322 CVE-2015-5321
CVE-2015-5320 CVE-2015-5319 CVE-2015-5318
- --------------------------BEGIN INCLUDED TEXT--------------------
Jenkins Security Advisory 2015-11-11
This advisory announces multiple vulnerabilities in Jenkins.
Project name disclosure via fingerprints
SECURITY-153 / CVE-2015-5317
The Jenkins UI allowed users to see the names of jobs and builds otherwise
inaccessible to them on the "Fingerprints" pages if those shared file
fingerprints with fingerprinted files in accessible jobs.
Public value used for CSRF protection salt
SECURITY-169 / CVE-2015-5318
The salt used to generate the CSRF protection tokens was a publicly accessible
value, allowing malicious users to circumvent CSRF protection by generating
the correct token.
XXE injection into job configurations via CLI
SECURITY-173 / CVE-2015-5319
When creating a job using the create-job CLI command, external entities are
not discarded (nor processed). If these job configurations are processed by
another user with an XML-aware tool (e.g. using get-job/update-job),
information from that user's computer may be disclosed to Jenkins and the
Secret key not verified when connecting a slave
SECURITY-184 / CVE-2015-5320
JNLP slave connections did not verify that the correct secret was supplied,
which allowed malicious users to connect their own machines as slaves to
Jenkins knowing only the name of the slave. This enables attackers to take
over Jenkins (unless the slave-to-master security subsystem is enabled) or
gain access to private data like keys and source code.
Queue API did show items not visible to the current user
SECURITY-186 / CVE-2015-5324
The /queue/api URL could return information about items not accessible to the
current user (such as parameter names and values, build names, project
Information disclosure via sidepanel
SECURITY-192 / CVE-2015-5321
The CLI command overview and help pages in Jenkins were accessible without
Overall/Read permission, resulting in disclosure of the names of configured
slaves (and contents of other sidepanel widgets, if present) to unauthorized
Local file inclusion vulnerability
SECURITY-195 / CVE-2015-5322
Access to the /jnlpJars/ URL was not limited to the specific JAR files users
needed to access, allowing browsing directories and downloading other files in
the Jenkins servlet resources, such as web.xml.
API tokens of other users available to admins
SECURITY-200 / CVE-2015-5323
API tokens of other users were exposed to admins by default. On instances that
don't implicitly grant RunScripts permission to admins, this allowed admins to
run scripts with another user's credentials.
JNLP slaves not subject to slave-to-master access control
SECURITY-206 / CVE-2015-5325
Slaves connecting via JNLP were not subject to the optional slave-to-master
access control documented at http://jenkins-ci.org/security-144
Stored XSS vulnerability in slave offline status message
SECURITY-214 / CVE-2015-5326
Users with the permission to take slave nodes offline can enter arbitrary HTML
that gets shown unescaped to users visiting the slave overview page.
Remote code execution vulnerability due to unsafe deserialization in Jenkins
SECURITY-218 / CVE pending
Unsafe deserialization allows unauthenticated remote attackers to run
arbitrary code on the Jenkins master.
SECURITY-153 is considered low as users have no control over which information
they see, and the kind of information revealed is very limited.
SECURITY-169 is considered critical as it allows attackers to circumvent CSRF
SECURITY-173 is considered low due to the high degree of specific user
interaction required, and the limited information that can be gained this way.
SECURITY-184 is considered critical: It enables several different attacks,
compromising integrity, stability and confidentiality.
SECURITY-186 is considered medium: Low privileged users can gain some limited
information about items they should not have access to.
SECURITY-192 is considered medium: While the amount of information disclosed
is very limited, it is trivial to exploit.
SECURITY-195 is considered low: The information gained is very limited, and it
requires a specific setup to gain any non-public information this way.
SECURITY-200 is considered medium: In very specific circumstances, it allows
admins to gain permissions they would not otherwise have.
SECURITY-206 is considered high as it allows to circumvent the major
protection against less trusted node admins.
SECURITY-214 is considered medium as allows admins and users with significant
privileges to circumvent XSS protection.
SECURITY-218 is considered critical as it allows unauthenticated remote
attackers to run arbitrary code on Jenkins.
All Jenkins main line releases up to and including 1.637
All Jenkins LTS releases up to and including 1.625.1
Jenkins main line users should update to 1.638
Jenkins LTS users should update to 1.625.2
These versions include fixes to all the vulnerabilities described above. All
prior versions are affected by these vulnerabilities.
The Jenkins project would like to thank the following people for discovering
and reporting these vulnerabilities:
Akshay Dayal (from Google) for SECURITY-184
Ari Rubinstein for SECURITY-195
Ben Walding for SECURITY-192
Daniel Beck for SECURITY-186
James Nord for SECURITY-169 and SECURITY-173
Jesse Glick for SECURITY-206
Nicolas De Loof for SECURITY-153
Oleg Nenashev for SECURITY-200
Plastunov Andrey, Digital Security (dsec.ru) for SECURITY-214
SECURITY-218: related blog post with mitigation after public disclosure of
Corresponding security advisory for CloudBees Jenkins Enterprise and CloudBees
Jenkins Operations Center by CloudBees
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to firstname.lastname@example.org
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----