Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                   Jenkins Security Advisory 2015-11-11
                             12 November 2015


        AusCERT Security Bulletin Summary

Product:           jenkins
Publisher:         jenkins
Operating System:  Windows
                   OS X
                   Linux variants
                   BSD variants
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Access Privileged Data          -- Existing Account            
                   Cross-site Request Forgery      -- Remote with User Interaction
                   Cross-site Scripting            -- Remote with User Interaction
                   Provide Misleading Information  -- Existing Account            
                   Unauthorised Access             -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-5326 CVE-2015-5325 CVE-2015-5324
                   CVE-2015-5323 CVE-2015-5322 CVE-2015-5321
                   CVE-2015-5320 CVE-2015-5319 CVE-2015-5318
                   CVE-2015-5317 CVE-2014-3665 

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Jenkins Security Advisory 2015-11-11

This advisory announces multiple vulnerabilities in Jenkins.


Project name disclosure via fingerprints

SECURITY-153 / CVE-2015-5317

The Jenkins UI allowed users to see the names of jobs and builds otherwise 
inaccessible to them on the "Fingerprints" pages if those shared file 
fingerprints with fingerprinted files in accessible jobs.

Public value used for CSRF protection salt

SECURITY-169 / CVE-2015-5318

The salt used to generate the CSRF protection tokens was a publicly accessible
value, allowing malicious users to circumvent CSRF protection by generating 
the correct token.

XXE injection into job configurations via CLI

SECURITY-173 / CVE-2015-5319

When creating a job using the create-job CLI command, external entities are 
not discarded (nor processed). If these job configurations are processed by 
another user with an XML-aware tool (e.g. using get-job/update-job), 
information from that user's computer may be disclosed to Jenkins and the 

Secret key not verified when connecting a slave

SECURITY-184 / CVE-2015-5320

JNLP slave connections did not verify that the correct secret was supplied, 
which allowed malicious users to connect their own machines as slaves to 
Jenkins knowing only the name of the slave. This enables attackers to take 
over Jenkins (unless the slave-to-master security subsystem is enabled) or 
gain access to private data like keys and source code.

Queue API did show items not visible to the current user

SECURITY-186 / CVE-2015-5324

The /queue/api URL could return information about items not accessible to the
current user (such as parameter names and values, build names, project 
descriptions, ).

Information disclosure via sidepanel

SECURITY-192 / CVE-2015-5321

The CLI command overview and help pages in Jenkins were accessible without 
Overall/Read permission, resulting in disclosure of the names of configured 
slaves (and contents of other sidepanel widgets, if present) to unauthorized 

Local file inclusion vulnerability

SECURITY-195 / CVE-2015-5322

Access to the /jnlpJars/ URL was not limited to the specific JAR files users 
needed to access, allowing browsing directories and downloading other files in
the Jenkins servlet resources, such as web.xml.

API tokens of other users available to admins

SECURITY-200 / CVE-2015-5323

API tokens of other users were exposed to admins by default. On instances that
don't implicitly grant RunScripts permission to admins, this allowed admins to
run scripts with another user's credentials.

JNLP slaves not subject to slave-to-master access control

SECURITY-206 / CVE-2015-5325

Slaves connecting via JNLP were not subject to the optional slave-to-master 
access control documented at http://jenkins-ci.org/security-144 

Stored XSS vulnerability in slave offline status message

SECURITY-214 / CVE-2015-5326

Users with the permission to take slave nodes offline can enter arbitrary HTML
that gets shown unescaped to users visiting the slave overview page.

Remote code execution vulnerability due to unsafe deserialization in Jenkins 

SECURITY-218 / CVE pending

Unsafe deserialization allows unauthenticated remote attackers to run 
arbitrary code on the Jenkins master.


SECURITY-153 is considered low as users have no control over which information
they see, and the kind of information revealed is very limited.

SECURITY-169 is considered critical as it allows attackers to circumvent CSRF

SECURITY-173 is considered low due to the high degree of specific user 
interaction required, and the limited information that can be gained this way.

SECURITY-184 is considered critical: It enables several different attacks, 
compromising integrity, stability and confidentiality.

SECURITY-186 is considered medium: Low privileged users can gain some limited
information about items they should not have access to.

SECURITY-192 is considered medium: While the amount of information disclosed 
is very limited, it is trivial to exploit.

SECURITY-195 is considered low: The information gained is very limited, and it
requires a specific setup to gain any non-public information this way.

SECURITY-200 is considered medium: In very specific circumstances, it allows 
admins to gain permissions they would not otherwise have.

SECURITY-206 is considered high as it allows to circumvent the major 
protection against less trusted node admins.

SECURITY-214 is considered medium as allows admins and users with significant
privileges to circumvent XSS protection.

SECURITY-218 is considered critical as it allows unauthenticated remote 
attackers to run arbitrary code on Jenkins.

Affected versions

All Jenkins main line releases up to and including 1.637

All Jenkins LTS releases up to and including 1.625.1


Jenkins main line users should update to 1.638

Jenkins LTS users should update to 1.625.2

These versions include fixes to all the vulnerabilities described above. All 
prior versions are affected by these vulnerabilities.


The Jenkins project would like to thank the following people for discovering 
and reporting these vulnerabilities:

Akshay Dayal (from Google) for SECURITY-184

Ari Rubinstein for SECURITY-195

Ben Walding for SECURITY-192

Daniel Beck for SECURITY-186

James Nord for SECURITY-169 and SECURITY-173

Jesse Glick for SECURITY-206

Nicolas De Loof for SECURITY-153

Oleg Nenashev for SECURITY-200

Plastunov Andrey, Digital Security (dsec.ru) for SECURITY-214

Other Resources

SECURITY-218: related blog post with mitigation after public disclosure of 
this vulnerability


Corresponding security advisory for CloudBees Jenkins Enterprise and CloudBees
Jenkins Operations Center by CloudBees


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967