Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.3126 Jenkins Security Advisory 2017-12-06 7 December 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Jenkins Publisher: Jenkins Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade Original Bulletin: https://jenkins.io/security/advisory/2017-12-06/ - --------------------------BEGIN INCLUDED TEXT-------------------- Jenkins Security Advisory 2017-12-06 This advisory announces a vulnerability in this Jenkins plugin: EC2 Description Arbitrary shell command execution on master by users with Agent-related permissions in EC2 Plugin SECURITY-643 Users with permission to create or configure agents in Jenkins could configure an EC2 agent to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of these agents now requires the Run Scripts permission typically only granted to administrators. Severity SECURITY-643: high Affected versions EC2 Plugin up to and including 1.37 Fix EC2 Plugin should be updated to version 1.38 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. Credit The Jenkins project would like to thank the reporter for discovering and reporting this vulnerability: Jesse Glick, CloudBees Inc. for SECURITY-643 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWiiZpox+lLeg9Ub1AQgGNA//UMgBegqf77raqiJ574H0vsZlkVmVYs5u K6jJ5OhdNkZm0+vFD2pFIQ9wKp/cC4l5c+mF0cousXGa7M2gUUCBp3j8q5RdHkQg xMYaT/DD8CSz6Xwq2B5qiq43pJoqFN08gbo+AmqcOYYE92eKoyhYLPEan/eN0VAt l3i/CrOME4g4S3n3nPL91MLI1IECaMh+jSVVyEPFpYEAukh0p6UH9jmRkMncQoTy pOI6NdPclLlwPUAL7BGAtvElIFVs1R4QP6k5avD+xoi4I8W6qOoX55xCdx4lDquK 7tBdAd9cF8ZRQu2QiERC7ql3oiLBqI6HpCduFMmbFDKP/Mku3qCj9/wivlc8IUkY D43xhZea0hR4EaxSaOaYJovmViqJEzhxBYY/k3vW2n9PZFiZJCC5wfegtosfy3yL stsFbB8Tm6NW5N5CguGMBOQPDAhlXKES1yxbJG6V+5bDsNd50FE6GLR2swAEWiE9 VsJkF8Nx9VgwrFBqGplMd6q1SqPLMqXstt+iZ423hdvTAFgmKar3SUqyeVng2iED PW5L/WUtm48FSr+/L7CsLkSu22MyCXBczGCARhwvO9D7hY7OpFPnk8a/RPC5Kw8D 6r7Bm3kQPcqdAVfluhSYK0oQnul1eFKYVBvMbPLK/P20JZytqCx8HWo+nD++GC6y ux5ZYajUZU4= =E6Co -----END PGP SIGNATURE-----