Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0871 Jenkins Security Advisory 2018-03-26 27 March 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Jenkins Publisher: Jenkins Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Access Privileged Data -- Existing Account Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Denial of Service -- Existing Account Access Confidential Data -- Remote/Unauthenticated Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-8718 Original Bulletin: https://jenkins.io/security/advisory/2018-03-26/ - --------------------------BEGIN INCLUDED TEXT-------------------- Jenkins Security Advisory 2018-03-26 This advisory announces vulnerabilities in the following Jenkins deliverables: Ansible Plugin Copy To Slave Plugin Cucumber Living Documentation Plugin GitHub Pull Request Builder Plugin Liquibase Runner Plugin Mailer Plugin Perforce Plugin Reverse Proxy Auth Plugin vSphere Plugin Descriptions GitHub Pull Request Builder Plugin stores GitHub access tokens in build.xml SECURITY-261 GitHub Pull Request Builder Plugin stored serialized objects in build.xml files that contained the credential used to poll Jenkins. This can be used by users with master file system access to obtain GitHub credentials. Since 1.40.0, the plugin no longer stores serialized objects containing the credential on disk. Builds started before the plugin was updated to 1.40.0 will retain the encoded credentials on disk. We strongly recommend revoking old GitHub credentials used in Jenkins. Were providing a script for use in the Script Console that will attempt to remove old stored credentials from build.xml files. GitHub Pull Request Builder Plugin stores webhook secret in plain text SECURITY-262 GitHub Pull Request Builder Plugin stored the webhook secret shared between Jenkins and GitHub in plain text. This allowed users with Jenkins master local file system access and Jenkins administrators to retrieve the stored password. The latter could result in exposure of the passwords through browser extensions, cross-site scripting vulnerabilities, and similar situations. GitHub Pull Request Builder Plugin 1.32.1 and newer stores the webhook secret encrypted on disk. Cucumber Living Documentation Plugin disabled Content-Security-Policy for archived and workspace files SECURITY-308 Jenkins 1.641 and 1.625.3 introduced Content-Security-Policy HTTP headers as protection against Cross-Site Scripting attacks using workspace files and archived artifacts served using DirectoryBrowserSupport (SECURITY-95). Cucumber Living Documentation Plugin disabled this XSS protection until Jenkins was restarted whenever a Cucumber Report was viewed by any user to work around the Content-Security-Policy limitations. While disabling this protection mechanism temporarily may be necessary to make plugins work that havent been adapted to work with the Content-Security-Policy restriction, this should only be done by administrators, as doing so may result in a security issue (see Configuring Content Security Policy). This has been addressed in version 1.1.0 of the plugin, and it will now request that users change the Content-Security-Policy option in Jenkins. Perforce Plugin uses ineffective credentials encryption SECURITY-373 Perforce Plugin encrypts its credentials using DES and a public key stored in its public source code, so it only serves as basic obfuscation. This allowed users with Jenkins master local file system access and Jenkins administrators to retrieve the stored password. The latter could result in exposure of the passwords through browser extensions, cross-site scripting vulnerabilities, and similar situations. As of publication of this advisory, there is no fix. The plugin has been removed from publication at the request of its former maintainers. We recommend that users of Perforce Plugin use the P4 Plugin instead. vSphere Plugin does not validate SSL/TLS certificates SECURITY-504 vSphere Plugin disabled SSL/TLS certificate validation unconditionally, allowing potential man-in-the-middle attacks. vSphere Plugin 2.17 now has SSL/TLS certificate validation enabled by default. CSRF vulnerability and missing permission checks in vSphere Plugin form validation allowed enumerating credentials IDs, capturing credentials, and denial of service SECURITY-745 vSphere Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to perform various actions such as: o Connect to an attacker-specified vSphere server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins o Connect to configured vSphere servers and looking up information, potentially resulting in denial of service Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability. These form validation methods now require POST requests and appropriate user permissions. Liquibase Runner Plugin allows users to load arbitrary Java code into master JVM SECURITY-519 Liquibase Runner Plugin allows users with Job/Configure permission to configure its build step in a way that loads arbitrary class files into the Jenkins master JVM, resulting in arbitrary code execution. As of publication of this advisory, there is no fix. Perforce Plugin credentials can be obtained by users with Job/Extended Read permission SECURITY-536 Jenkins prevents users with Extended Read permission from obtaining secrets such as credentials stored in job configurations. Perforce Plugin implements its own credential encryption using DES and an encryption key stored in its public source code. This is not considered a secret by Jenkins, resulting in potential exposure of Perforce credentials stored in job configurations to users with Extended Read permission. While these are encrypted, this can only be considered basic obfuscation due to the hard-coded public encryption key used. As of publication of this advisory, there is no fix. The plugin has been removed from publication at the request of its maintainers. We recommend that users of Perforce Plugin use the P4 Plugin instead. Copy To Slave Plugin allows access to arbitrary files on the Jenkins master file system SECURITY-545 Copy To Slave Plugin allows users with Job/Configure permissions to configure it in such a way that it allows obtaining arbitrary files accessible to the Jenkins master process from the Jenkins master file system. As of publication of this advisory, there is no fix. Ansible Plugin disabled host key verification by default SECURITY-630 Ansible Plugin disabled host key verification by default, having it only as an opt-in option. Ansible Plugin 1.0 now enables host key verification by default, adding options allowing users to opt out. Existing configurations that previously did not opt into host key verification will have host key verification enabled after update, possibly resulting in failures. Reverse Proxy Auth persisted authorities cache on disk SECURITY-736 Reverse Proxy Auth Plugin persisted a cache of granted authorities (group memberships) on disk. This could allow users with local Jenkins master file system access to obtain group membership information of Jenkins users. Reverse Proxy Auth Plugin 1.6.0 and newer no longer store the cache of granted authorities on disk. Mailer Plugin allowed unauthorized users to send test emails SECURITY-774 / CVE-2018-8718 A missing permission check in Mailer Plugin allowed users with Overall/Read access to Jenkins to have it connect to a user-specified mail server with user-specified credentials to send a test email to a user-specified email address. The email subject and body could not be changed. This could result in DoS if, for example, specifying a valid mail server but invalid credentials. As the same URL did not require POST to be used, it also was vulnerable to cross-site request forgery. The URL handling test emails now requires POST to protect from CSRF, and performs an Overall/Administer permission check. Severity SECURITY-261: medium SECURITY-262: low SECURITY-308: medium SECURITY-373: medium SECURITY-504: medium SECURITY-745: medium SECURITY-519: high SECURITY-536: medium SECURITY-545: medium SECURITY-630: medium SECURITY-736: low SECURITY-774: medium Affected Versions Ansible Plugin up to and including 0.8 Copy To Slave Plugin up to and including 1.4.4 Cucumber Living Documentation Plugin up to and including 1.0.12 GitHub Pull Request Builder Plugin up to and including 1.39.0 Liquibase Runner Plugin up to and including 1.3.0 Mailer Plugin up to and including 1.20 Perforce Plugin up to and including 1.3.36 Reverse Proxy Auth Plugin up to and including 1.5 vSphere Plugin up to and including 2.16 Fix Ansible Plugin should be updated to version 1.0 Cucumber Living Documentation Plugin should be updated to version 1.1.0 GitHub Pull Request Builder Plugin should be updated to version 1.40.0 Mailer Plugin should be updated to version 1.21 Reverse Proxy Auth Plugin should be updated to version 1.6.0 vSphere Plugin should be updated to version 2.17 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. As of publication of this advisory, no fixes are available for the following plugins: Copy To Slave Plugin Liquibase Runner Plugin Perforce Plugin Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: Daniel Beck, CloudBees, Inc. for SECURITY-308, SECURITY-745, SECURITY-630 Hyoungwook Jang, SKinfosec, Inc. for SECURITY-774 Jesse Glick, CloudBees, Inc. for SECURITY-545 Oleg Nenashev, CloudBees, Inc. for SECURITY-536, SECURITY-736 Peter Adkins for SECURITY-504 Steve Marlowe <smarlowe@cisco.com> of Cisco ASIG for SECURITY-261, SECURITY-262, SECURITY-373 Yoann Dubreuil, CloudBees, Inc. for SECURITY-519 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWrnNC4x+lLeg9Ub1AQgZxg/9FbAMILyYOlf0BtPHOTGBaPau9LGJzFJQ wWi7lv7LQqFDT/fW9mH3qzu9072bJnUaMpu/xKXGUsx8TJddAIHRPsD9Type3Yt6 5hUngPICPvzxY4sDYWzdL2q13g1ysMvbwwPC+ujH138+FxXApLgc3T51hwQjdvgg wVE9P4Ign1R/RyyUXhicmkGUiNzq/QaM/TXlq92AI0I8myo2AJ9yhyhT4DpdQX4H ZO4V7m4Etx5JPWI8jyMFvh5aVCFbybv6YZTeJlXi+x2pCUOp8htG4YEAq7bej/DU yg+kxek1R/bijBIz6s89SCyF6r5adJNpqDSfC1ljgf72mjDczszzsue5X2dRtFgI +XPgjXxztwrPvXC+snWFGw9wuYLwjexRUCYq2ufFV+J3wR+vNr9rSUffHJerXdKR 7ziOwvXhw9d28NFX6CSzhNhGVscwDH3n8KXWL1WcQXbWBxoOwkRV8kH7NMmcXgnJ dG0JuU2nyJbSzEoJ72t2omVy2UvEknDoBU4uFNJV8NvA6vL2x/lYbc6DODG/20S+ G7CmZZbe5NZa97XHInn1Tej/3sJIL0g1L7fzFcWPSgqfoo1hd4ciXntb1fUABChg edN+ElR2SlQlsrHWNbDMnlG9H9CP57DdNn4e3Pbw2c7rF3lCHsXplDP30ZfYJA7a +LulzQz0mRk= =M14J -----END PGP SIGNATURE-----