12 November 2015
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.2817 Jenkins Security Advisory 2015-11-11 12 November 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: jenkins Publisher: jenkins Operating System: Windows OS X Linux variants BSD variants UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Existing Account Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Existing Account Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2015-5326 CVE-2015-5325 CVE-2015-5324 CVE-2015-5323 CVE-2015-5322 CVE-2015-5321 CVE-2015-5320 CVE-2015-5319 CVE-2015-5318 CVE-2015-5317 CVE-2014-3665 Original Bulletin: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 - --------------------------BEGIN INCLUDED TEXT-------------------- Jenkins Security Advisory 2015-11-11 This advisory announces multiple vulnerabilities in Jenkins. Description Project name disclosure via fingerprints SECURITY-153 / CVE-2015-5317 The Jenkins UI allowed users to see the names of jobs and builds otherwise inaccessible to them on the "Fingerprints" pages if those shared file fingerprints with fingerprinted files in accessible jobs. Public value used for CSRF protection salt SECURITY-169 / CVE-2015-5318 The salt used to generate the CSRF protection tokens was a publicly accessible value, allowing malicious users to circumvent CSRF protection by generating the correct token. XXE injection into job configurations via CLI SECURITY-173 / CVE-2015-5319 When creating a job using the create-job CLI command, external entities are not discarded (nor processed). If these job configurations are processed by another user with an XML-aware tool (e.g. using get-job/update-job), information from that user's computer may be disclosed to Jenkins and the attacker. Secret key not verified when connecting a slave SECURITY-184 / CVE-2015-5320 JNLP slave connections did not verify that the correct secret was supplied, which allowed malicious users to connect their own machines as slaves to Jenkins knowing only the name of the slave. This enables attackers to take over Jenkins (unless the slave-to-master security subsystem is enabled) or gain access to private data like keys and source code. Queue API did show items not visible to the current user SECURITY-186 / CVE-2015-5324 The /queue/api URL could return information about items not accessible to the current user (such as parameter names and values, build names, project descriptions, ). Information disclosure via sidepanel SECURITY-192 / CVE-2015-5321 The CLI command overview and help pages in Jenkins were accessible without Overall/Read permission, resulting in disclosure of the names of configured slaves (and contents of other sidepanel widgets, if present) to unauthorized users. Local file inclusion vulnerability SECURITY-195 / CVE-2015-5322 Access to the /jnlpJars/ URL was not limited to the specific JAR files users needed to access, allowing browsing directories and downloading other files in the Jenkins servlet resources, such as web.xml. API tokens of other users available to admins SECURITY-200 / CVE-2015-5323 API tokens of other users were exposed to admins by default. On instances that don't implicitly grant RunScripts permission to admins, this allowed admins to run scripts with another user's credentials. JNLP slaves not subject to slave-to-master access control SECURITY-206 / CVE-2015-5325 Slaves connecting via JNLP were not subject to the optional slave-to-master access control documented at http://jenkins-ci.org/security-144 (CVE-2014-3665). Stored XSS vulnerability in slave offline status message SECURITY-214 / CVE-2015-5326 Users with the permission to take slave nodes offline can enter arbitrary HTML that gets shown unescaped to users visiting the slave overview page. Remote code execution vulnerability due to unsafe deserialization in Jenkins remoting SECURITY-218 / CVE pending Unsafe deserialization allows unauthenticated remote attackers to run arbitrary code on the Jenkins master. Severity SECURITY-153 is considered low as users have no control over which information they see, and the kind of information revealed is very limited. SECURITY-169 is considered critical as it allows attackers to circumvent CSRF protection. SECURITY-173 is considered low due to the high degree of specific user interaction required, and the limited information that can be gained this way. SECURITY-184 is considered critical: It enables several different attacks, compromising integrity, stability and confidentiality. SECURITY-186 is considered medium: Low privileged users can gain some limited information about items they should not have access to. SECURITY-192 is considered medium: While the amount of information disclosed is very limited, it is trivial to exploit. SECURITY-195 is considered low: The information gained is very limited, and it requires a specific setup to gain any non-public information this way. SECURITY-200 is considered medium: In very specific circumstances, it allows admins to gain permissions they would not otherwise have. SECURITY-206 is considered high as it allows to circumvent the major protection against less trusted node admins. SECURITY-214 is considered medium as allows admins and users with significant privileges to circumvent XSS protection. SECURITY-218 is considered critical as it allows unauthenticated remote attackers to run arbitrary code on Jenkins. Affected versions All Jenkins main line releases up to and including 1.637 All Jenkins LTS releases up to and including 1.625.1 Fix Jenkins main line users should update to 1.638 Jenkins LTS users should update to 1.625.2 These versions include fixes to all the vulnerabilities described above. All prior versions are affected by these vulnerabilities. Credit The Jenkins project would like to thank the following people for discovering and reporting these vulnerabilities: Akshay Dayal (from Google) for SECURITY-184 Ari Rubinstein for SECURITY-195 Ben Walding for SECURITY-192 Daniel Beck for SECURITY-186 James Nord for SECURITY-169 and SECURITY-173 Jesse Glick for SECURITY-206 Nicolas De Loof for SECURITY-153 Oleg Nenashev for SECURITY-200 Plastunov Andrey, Digital Security (dsec.ru) for SECURITY-214 Other Resources SECURITY-218: related blog post with mitigation after public disclosure of this vulnerability https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli Corresponding security advisory for CloudBees Jenkins Enterprise and CloudBees Jenkins Operations Center by CloudBees https://www.cloudbees.com/jenkins-security-advisory-2015-11-11 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVkP9Mn6ZAP0PgtI9AQKkTw//RxbmTlVJCueZ52Yc4w00A1wsPZNqQ3Ta vBlmun9G7OGrjqKEeq6Iblyuzh65DdWBYBaAzEPqMmJqEDU3yjf54w8gBWYtGnl7 txQs77VFDQstc0FqiuCfc1rscVa7Z675ds7npUe98moI5YzZ8b+c0NmpBMpJIXu6 XfsFCMLiRHPEyJLvZdrARFzZk+h4y+fnvuBPvMdEOvUTDdz01OEZNTAfidZlSrDC ZLiI38yh4e0oSJuf7v8dGmsd3uaZBo+v9wKxTRhKdD15RuWy1KW2RVk+/Ws+kXjF OqXAJctR17dPpTXw7JDeg3qDNQcOv4kreq8SVlMdHks7d2FsvfsJreicVLJA262/ hHmeQgaPJo8cqvXBMymxLCByH4l6owqdugdJFvjyJfbGCuEo/al5VLACvLZ6SnDy 33Iem0KPh3utx1/Y2rNpJT49EsprA+3Vr1qIsY3iBMtmF2TWQf7yFTbkYabvpCG4 zoEVHyibh2Xi2HISwkRmWQNki/mIZIQ8zeQBXUROHr/sJozAwPTEeD/jQPATyA4r HmyFBRxwZ2As6egGaypzWurq4R9T67hoDuxId/9zJj3A/hAL7uPChGII72F9QVxj SEG7EerAi2UFspq/BqQZIEAOgsbBCpBDT/rvkzaOTvXDhNJklh+uHj+fTjFrpawo T1CTFXQ7PQg= =Y05Y -----END PGP SIGNATURE-----