Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.2563
Jenkins Security Advisory 2017-10-11
12 October 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jenkins
Publisher: Jenkins
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Access Privileged Data -- Existing Account
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-3092 CVE-2012-6153
Reference: ASB-2017.0119
ASB-2017.0116
ESB-2017.2415
ESB-2017.1595
Original Bulletin:
https://jenkins.io/security/advisory/2017-10-11/
- --------------------------BEGIN INCLUDED TEXT--------------------
Jenkins Security Advisory 2017-10-11
This advisory announces multiple vulnerabilities in Jenkins (weekly and LTS),
and these plugins:
Maven Plugin
Swarm Plugin Client
Speaks! Plugin
Description
Arbitrary shell command execution on master by users with Agent-related
permissions
SECURITY-478 / CVE pending
Users with permission to create or configure agents in Jenkins could configure
a launch method called Launch agent via execution of command on master. This
allowed them to run arbitrary shell commands on the master node whenever the
agent was supposed to be launched.
Configuration of this launch method now requires the Run Scripts permission
typically only granted to administrators.
A known limitation of this fix is that users without the Run Scripts
permission are no longer able to configure agents with this launch method at
all, even if the launch method remains unchanged.
A future release of Jenkins will move this launch method into a separate
plugin. That plugin will depend on Script Security Plugin to secure this field
and restore the ability of users without the Run Scripts permission to
configure an agent with this launch method.
Jenkins core bundled vulnerable version of the commons-fileupload library
SECURITY-490 / CVE pending
Jenkins bundled a version of the commons-fileupload library with the
denial-of-service vulnerability known as CVE-2016-3092.
The fix for that vulnerability has been backported to the version of the
library bundled with Jenkins.
"User" remote API disclosed users' email addresses
SECURITY-514 / CVE pending
Information about Jenkins user accounts is generally available to anyone with
Overall/Read permissions via the /user/(username)/api remote API. This
included e.g. Jenkins users' email addresses if the Mailer Plugin is
installed.
The remote API now no longer includes information beyond the most basic (user
ID and name) unless the user requesting it is a Jenkins administrator or the
user themselves.
Jenkins core bundled vulnerable version of the commons-httpclient library
SECURITY-555 / CVE pending
Jenkins bundled a version of the commons-httpclient library with the
vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making
it susceptible to man-in-the-middle attacks.
This library is widely used as a transitive dependency in Jenkins plugins.
The fix for CVE-2012-6153 was backported to the version of commons-httpclient
that is bundled in core and made available to plugins.
Maven Plugin bundled vulnerable version of the commons-httpclient library
SECURITY-557 / CVE pending
Maven Plugin bundled a version of the commons-httpclient library with the
vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making
it susceptible to man-in-the-middle attacks.
Maven Plugin 3.0 no longer has a dependency on commons-httpclient.
Swarm Plugin Client bundled vulnerable version of the commons-httpclient
library
SECURITY-597 / CVE pending
Swarm Plugin Client bundled a version of the commons-httpclient library with
the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates,
making it susceptible to man-in-the-middle attacks.
The fix for CVE-2012-6153 was backported to the version of commons-httpclient
bundled in Swarm Plugin Client.
IMPORTANT: Please note that Swarm Plugin Client needs to be updated
independently from the plugin. Updating just the plugin will not resolve the
security vulnerability.
"Computer" remote API disclosed information about inaccessible jobs
SECURITY-611 / CVE pending
The remote API at /computer/(agent-name)/api showed information about tasks
(typically builds) currently running on that agent. This included information
about tasks that the current user otherwise has no access to, e.g. due to lack
of Job/Read permission.
This has been fixed, and the API now only shows information about accessible
tasks.
"Queue Item" remote API disclosed information about inaccessible jobs
SECURITY-618 / CVE pending
The remote API at /queue/item/(ID)/api showed information about tasks in the
queue (typically builds waiting to start). This included information about
tasks that the current user otherwise has no access to, e.g. due to lack of
Job/Read permission.
This has been fixed, and the API endpoint is now only available for tasks that
the current user has access to.
"Job" remote API disclosed information about inaccessible upstream/downstream
jobs
SECURITY-617 / CVE pending
The remote API at /job/(job-name)/api contained information about upstream and
downstream projects. This included information about tasks that the current
user otherwise has no access to, e.g. due to lack of Job/Read permission.
This has been fixed, and the API now only lists upstream and downstream
projects that the current user has access to.
Form validation for password fields was sent via GET
SECURITY-616 / CVE pending
The Jenkins default form control for passwords and other secrets,
<f:password/>, supports form validation (e.g. for API keys). The form
validation AJAX requests were sent via GET, which could result in secrets
being logged to a HTTP access log in non-default configurations of Jenkins,
and made available to users with access to these log files.
Form validation for <f:password/> is now always sent via POST, with the
password in the request body, which is typically not logged.
Arbitrary code execution vulnerability in Speaks! Plugin
SECURITY-623 / CVE pending
This plugin allows users with Job/Configure permission to run arbitrary Groovy
code inside the Jenkins JVM, effectively elevating privileges to Overall/Run
Scripts.
As of publication of this advisory, there is no fix.
Severity
SECURITY-478: high
SECURITY-490: high
SECURITY-514: medium
SECURITY-555: medium
SECURITY-557: medium
SECURITY-597: medium
SECURITY-611: medium
SECURITY-616: low
SECURITY-617: medium
SECURITY-618: medium
SECURITY-623: high
Affected versions
Jenkins weekly up to and including 2.83
Jenkins LTS up to and including 2.73.1
Maven Plugin up to and including 2.17
All versions of Speaks! Plugin
Swarm Plugin (Client) up to and including 3.4
Fix
Jenkins weekly should be updated to 2.84
Jenkins LTS should be updated to 2.73.2
Maven Plugin should be updated to 3.0
Swarm Plugin (Client) should be updated to 3.5
These versions include fixes to the vulnerabilities described above. All prior
versions are affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, there is no fix available for Speaks!
Plugin. Its distribution has been suspended.
Credit
The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:
Ben Walding, CloudBees, Inc. for SECURITY-616
Daniel Beck, CloudBees, Inc. for SECURITY-478, SECURITY-611, SECURITY-623
Jesse Glick, CloudBees, Inc. for SECURITY-617, SECURITY-618
Other Resources
Announcement blog post
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWd7WdIx+lLeg9Ub1AQh1vg//Rl4NHxa1PSzL5fhvRK0k8X/V2+UEt9+4
VHzjokcJNJlRv/fr4by4IpIQ5TchMPN9RS7ANFwwIqLEEqjSyCSL7aQ2YG648JoO
GBd4/ZVtx46Lzk5dyqpCqgwfw8qsAtSHD0qI/of9o/h1ewK6F1/AEaQIRFcn3lmZ
xud8aNAu6imqhaRBX/2yf140vGe1PWRWOctVaOFZMDBLjRQR00EwebKHhChzehVY
oCaJhu9egNyzKaL0bCPAcaUwDxAfBP3RinEtMMsftDmIGzpds08b+UW3azpl06+B
LYDNOgkB4DluJYgIkfOwRsJMSruBRXUcAPPJiQtYM0Ez5kaonuP7Wkm9Awppvgq3
81ILF5eQ3NSAXPgiWPzXSyuRVowS76XrVWuMAxccv2i6/sMQImXSOpxDimyu5bnr
+XITcLIRsBESWQrf7EJNra7rbxvkGjbDW+SAzAIf4NxpqI7KQDRQ4QsxqoFRa7U/
lAq5WJHaazpHiBLOd6n/PEnW39arlYnuZM8dOp8OiHxAf0wdeE7UETp8A+eMwS0W
xS85pmu/LAepFHlOr4HZV/h103XVhxNWq2wq+IQVvLa3UXziHS/QRP08AFOw848q
OBrThJJ8s8/xi5jBaNgSiXGlYbvvJ1rIeSp9LjH5V8H8SambAMfgzV7YWfPtb/za
qSSACz6+zAk=
=+0xl
-----END PGP SIGNATURE-----