Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.1175
Jenkins Security Advisory 2016-05-11
12 May 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: jenkins
Publisher: jenkins
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Access Privileged Data -- Existing Account
Denial of Service -- Existing Account
Provide Misleading Information -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2016-3727 CVE-2016-3726 CVE-2016-3725
CVE-2016-3724 CVE-2016-3723 CVE-2016-3722
CVE-2016-3721
Original Bulletin:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
- --------------------------BEGIN INCLUDED TEXT--------------------
Jenkins Security Advisory 2016-05-11
Added by Daniel Beck, last edited by Daniel Beck on May 11, 2016
Go to start of metadata
This advisory announces multiple vulnerabilities in Jenkins.
Description
Arbitrary build parameters are passed to build scripts as environment
variables
SECURITY-170 / CVE-2016-3721
Build parameters in Jenkins typically are passed to build scripts as
environment variables. Some plugins allow passing arbitrary (undeclared)
parameters. Depending on access permissions and installed plugins, malicious
users were able to trigger builds, passing arbitrary environment variables
(e.g. PATH) to modify the behavior of those builds. Rather than expect all
plugin authors to be aware of this potential problem, Jenkins now filters the
build parameters based on what is defined on the job.
As this change is known to affect a number of plugins, it's possible to
restore the previous behavior by setting the system property
hudson.model.ParametersAction.keepUndefinedParameters to true. This is
potentially very unsafe and intended as a short-term workaround only.
To allow specific, known safe parameter names to be passed to builds, set the
system property hudson.model.ParametersAction.safeParameters to a
comma-separated list of safe parameter names. Example:
java -Dhudson.model.ParametersAction.safeParameters=FOO,BAR_BAZ,qux -jar
jenkins.war
Malicious users with multiple user accounts can prevent other users from
logging in
SECURITY-243 / CVE-2016-3722
By changing the freely editable 'full name', malicious users with multiple
user accounts could prevent other users from logging in, as 'full name' was
resolved before actual user name to determine which account is currently
trying to log in. Information on installed plugins exposed via API
SECURITY-250 / CVE-2016-3723
The XML/JSON API endpoints providing information about installed plugins were
missing permissions checks, allowing any user with read access to Jenkins to
determine which plugins and versions were installed. Encrypted secrets (e.g.
passwords) were leaked to users with permission to read configuration
SECURITY-266 / CVE-2016-3724
Users with extended read access could access encrypted secrets stored directly
in the configuration of those items.
As a side-effect of this change, copying a job that contains secrets in its
configuration now requires the Configure permission on that job. Regular users
can trigger download of update site metadata
SECURITY-273 / CVE-2016-3725
A missing permissions check allowed any user with access to Jenkins to trigger
an update of update site metadata. This could be combined with DNS cache
poisoning to disrupt Jenkins service. Open redirect to scheme-relative URLs
SECURITY-276 / CVE-2016-3726
Some Jenkins URLs did not properly validate the redirect URLs, which allowed
malicious users to create URLs that redirect users to arbitrary
scheme-relative URLs. Granting the permission to read node configurations
allows access to overall system configuration
SECURITY-281 / CVE-2016-3727
The API URL /computer/(master)/api/xml allowed users with the 'extended read'
permission for the master node to see some global Jenkins configuration,
including the configuration of the security realm.
This URL now unconditionally sends HTTP 400 Bad Request when accessed. There
is no workaround.
Severity
SECURITY-170 is considered medium.
SECURITY-243 is considered low.
SECURITY-250 is considered medium.
SECURITY-266 is considered medium.
SECURITY-273 is considered low.
SECURITY-276 is considered medium.
SECURITY-281 is considered medium.
Affected versions
All Jenkins main line releases up to and including 2.2
All Jenkins LTS releases up to and including 1.651.1
Fix
Jenkins main line users should update to 2.3
Jenkins LTS users should update to 1.651.2
These versions include fixes to all the vulnerabilities described above. All
prior versions are affected by these vulnerabilities. Credit
The Jenkins project would like to thank the following people for discovering
and reporting these vulnerabilities:
Adam Cazzolla and Ben Bleiberg, Sonatype Inc. for SECURITY-276
Charles Nelson for SECURITY-250
James Nord, CloudBees, Inc. for SECURITY-273
Jesse Glick, CloudBees, Inc. for SECURITY-281
Stephen Connolly, CloudBees, Inc. for SECURITY-170
Steve Marlowe <smarlowe@cisco.com> of Cisco ASIG for SECURITY-243 and
SECURITY-266
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVzQco36ZAP0PgtI9AQKnTxAArG+to3GaopBttBhbybP0uq9z/GYoJOkx
qMpASj+if9+htMJ4npHctOwaObT+YCMiCKqz+iss9ru+AKtVn1bDGmgr2ccFonPs
hBchsH09MnGU9xrpu0M4uypnF9qNT87yIJhZ4pgDEOMB+Ivtgl8B3JftWo9hdrm9
JtdA03EvBFn0VtBbKPR3knp3mjRqHPwCPy/8MKiQazhRx69D0a6xs7A6t0eYtW/5
MRmW2sPs0TaSwdb7jwV1sf+KnfRq4WWzpgdCl40niS8Ji9wmRn99djbJBFY2ZUYG
Z9BaZcgCppOO9aWhwdtfFwQ+k1xXn4aUqcQRunpgWSKtql4+1oqI90hQWPRAPhKx
7XHHGecfiy3bWz2ecMl/W0Gk4fTCqyq/MVI6FMNd6lLVrkgMgL/K/cmhGFiTBTtq
u+dusPmwkP/qKscoiKQO+6f7rWaWDLHMTe4HsD2TVHTQi9Od/SzdkThJ6pLExq1X
6fAELCEA4U5h9N1U65hDTovy0O0qOOGPdfbPofzuq5CuMBGWRC+yY8wVj4zKj1cm
szoMyuBUBPxY0pHBjvU28qRxNGGkXKeE+IEMyRlzYJ5cODVahok4Al6jLBUp39Gk
Z6DuuV8lRFUss4WqalvDdRIbxevoit1SEJpmy2wWywzzR6nQUz5ly3P8m1riazi4
Gmco2YQjaw8=
=ZPMi
-----END PGP SIGNATURE-----