Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.0871
Jenkins Security Advisory 2018-03-26
27 March 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jenkins
Publisher: Jenkins
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Access Privileged Data -- Existing Account
Cross-site Request Forgery -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Existing Account
Access Confidential Data -- Remote/Unauthenticated
Provide Misleading Information -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2018-8718
Original Bulletin:
https://jenkins.io/security/advisory/2018-03-26/
- --------------------------BEGIN INCLUDED TEXT--------------------
Jenkins Security Advisory 2018-03-26
This advisory announces vulnerabilities in the following Jenkins deliverables:
Ansible Plugin
Copy To Slave Plugin
Cucumber Living Documentation Plugin
GitHub Pull Request Builder Plugin
Liquibase Runner Plugin
Mailer Plugin
Perforce Plugin
Reverse Proxy Auth Plugin
vSphere Plugin
Descriptions
GitHub Pull Request Builder Plugin stores GitHub access tokens in build.xml
SECURITY-261
GitHub Pull Request Builder Plugin stored serialized objects in build.xml
files that contained the credential used to poll Jenkins. This can be used by
users with master file system access to obtain GitHub credentials.
Since 1.40.0, the plugin no longer stores serialized objects containing the
credential on disk.
Builds started before the plugin was updated to 1.40.0 will retain the encoded
credentials on disk. We strongly recommend revoking old GitHub credentials
used in Jenkins. Were providing a script for use in the Script Console that
will attempt to remove old stored credentials from build.xml files.
GitHub Pull Request Builder Plugin stores webhook secret in plain text
SECURITY-262
GitHub Pull Request Builder Plugin stored the webhook secret shared between
Jenkins and GitHub in plain text.
This allowed users with Jenkins master local file system access and Jenkins
administrators to retrieve the stored password. The latter could result in
exposure of the passwords through browser extensions, cross-site scripting
vulnerabilities, and similar situations.
GitHub Pull Request Builder Plugin 1.32.1 and newer stores the webhook secret
encrypted on disk.
Cucumber Living Documentation Plugin disabled Content-Security-Policy for
archived and workspace files
SECURITY-308
Jenkins 1.641 and 1.625.3 introduced Content-Security-Policy HTTP headers as
protection against Cross-Site Scripting attacks using workspace files and
archived artifacts served using DirectoryBrowserSupport (SECURITY-95).
Cucumber Living Documentation Plugin disabled this XSS protection until
Jenkins was restarted whenever a Cucumber Report was viewed by any user to
work around the Content-Security-Policy limitations.
While disabling this protection mechanism temporarily may be necessary to make
plugins work that havent been adapted to work with the Content-Security-Policy
restriction, this should only be done by administrators, as doing so may
result in a security issue (see Configuring Content Security Policy).
This has been addressed in version 1.1.0 of the plugin, and it will now
request that users change the Content-Security-Policy option in Jenkins.
Perforce Plugin uses ineffective credentials encryption
SECURITY-373
Perforce Plugin encrypts its credentials using DES and a public key stored in
its public source code, so it only serves as basic obfuscation. This allowed
users with Jenkins master local file system access and Jenkins administrators
to retrieve the stored password. The latter could result in exposure of the
passwords through browser extensions, cross-site scripting vulnerabilities,
and similar situations.
As of publication of this advisory, there is no fix. The plugin has been
removed from publication at the request of its former maintainers. We
recommend that users of Perforce Plugin use the P4 Plugin instead.
vSphere Plugin does not validate SSL/TLS certificates
SECURITY-504
vSphere Plugin disabled SSL/TLS certificate validation unconditionally,
allowing potential man-in-the-middle attacks.
vSphere Plugin 2.17 now has SSL/TLS certificate validation enabled by default.
CSRF vulnerability and missing permission checks in vSphere Plugin form
validation allowed enumerating credentials IDs, capturing credentials, and
denial of service
SECURITY-745
vSphere Plugin did not perform permission checks on methods implementing form
validation. This allowed users with Overall/Read access to Jenkins to perform
various actions such as:
o Connect to an attacker-specified vSphere server using attacker-specified
credentials IDs obtained through another method, capturing credentials
stored in Jenkins
o Connect to configured vSphere servers and looking up information,
potentially resulting in denial of service
Additionally, these form validation methods did not require POST requests,
resulting in a CSRF vulnerability.
These form validation methods now require POST requests and appropriate user
permissions.
Liquibase Runner Plugin allows users to load arbitrary Java code into master
JVM
SECURITY-519
Liquibase Runner Plugin allows users with Job/Configure permission to
configure its build step in a way that loads arbitrary class files into the
Jenkins master JVM, resulting in arbitrary code execution.
As of publication of this advisory, there is no fix.
Perforce Plugin credentials can be obtained by users with Job/Extended Read
permission
SECURITY-536
Jenkins prevents users with Extended Read permission from obtaining secrets
such as credentials stored in job configurations.
Perforce Plugin implements its own credential encryption using DES and an
encryption key stored in its public source code. This is not considered a
secret by Jenkins, resulting in potential exposure of Perforce credentials
stored in job configurations to users with Extended Read permission. While
these are encrypted, this can only be considered basic obfuscation due to the
hard-coded public encryption key used.
As of publication of this advisory, there is no fix. The plugin has been
removed from publication at the request of its maintainers. We recommend that
users of Perforce Plugin use the P4 Plugin instead.
Copy To Slave Plugin allows access to arbitrary files on the Jenkins master
file system
SECURITY-545
Copy To Slave Plugin allows users with Job/Configure permissions to configure
it in such a way that it allows obtaining arbitrary files accessible to the
Jenkins master process from the Jenkins master file system.
As of publication of this advisory, there is no fix.
Ansible Plugin disabled host key verification by default
SECURITY-630
Ansible Plugin disabled host key verification by default, having it only as an
opt-in option.
Ansible Plugin 1.0 now enables host key verification by default, adding
options allowing users to opt out.
Existing configurations that previously did not opt into host key verification
will have host key verification enabled after update, possibly resulting in
failures.
Reverse Proxy Auth persisted authorities cache on disk
SECURITY-736
Reverse Proxy Auth Plugin persisted a cache of granted authorities (group
memberships) on disk.
This could allow users with local Jenkins master file system access to obtain
group membership information of Jenkins users.
Reverse Proxy Auth Plugin 1.6.0 and newer no longer store the cache of granted
authorities on disk.
Mailer Plugin allowed unauthorized users to send test emails
SECURITY-774 / CVE-2018-8718
A missing permission check in Mailer Plugin allowed users with Overall/Read
access to Jenkins to have it connect to a user-specified mail server with
user-specified credentials to send a test email to a user-specified email
address. The email subject and body could not be changed. This could result in
DoS if, for example, specifying a valid mail server but invalid credentials.
As the same URL did not require POST to be used, it also was vulnerable to
cross-site request forgery.
The URL handling test emails now requires POST to protect from CSRF, and
performs an Overall/Administer permission check.
Severity
SECURITY-261: medium
SECURITY-262: low
SECURITY-308: medium
SECURITY-373: medium
SECURITY-504: medium
SECURITY-745: medium
SECURITY-519: high
SECURITY-536: medium
SECURITY-545: medium
SECURITY-630: medium
SECURITY-736: low
SECURITY-774: medium
Affected Versions
Ansible Plugin up to and including 0.8
Copy To Slave Plugin up to and including 1.4.4
Cucumber Living Documentation Plugin up to and including 1.0.12
GitHub Pull Request Builder Plugin up to and including 1.39.0
Liquibase Runner Plugin up to and including 1.3.0
Mailer Plugin up to and including 1.20
Perforce Plugin up to and including 1.3.36
Reverse Proxy Auth Plugin up to and including 1.5
vSphere Plugin up to and including 2.16
Fix
Ansible Plugin should be updated to version 1.0
Cucumber Living Documentation Plugin should be updated to version 1.1.0
GitHub Pull Request Builder Plugin should be updated to version 1.40.0
Mailer Plugin should be updated to version 1.21
Reverse Proxy Auth Plugin should be updated to version 1.6.0
vSphere Plugin should be updated to version 2.17
These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.
As of publication of this advisory, no fixes are available for the following
plugins:
Copy To Slave Plugin
Liquibase Runner Plugin
Perforce Plugin
Credit
The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:
Daniel Beck, CloudBees, Inc. for SECURITY-308, SECURITY-745, SECURITY-630
Hyoungwook Jang, SKinfosec, Inc. for SECURITY-774
Jesse Glick, CloudBees, Inc. for SECURITY-545
Oleg Nenashev, CloudBees, Inc. for SECURITY-536, SECURITY-736
Peter Adkins for SECURITY-504
Steve Marlowe <smarlowe@cisco.com> of Cisco ASIG for SECURITY-261,
SECURITY-262, SECURITY-373
Yoann Dubreuil, CloudBees, Inc. for SECURITY-519
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWrnNC4x+lLeg9Ub1AQgZxg/9FbAMILyYOlf0BtPHOTGBaPau9LGJzFJQ
wWi7lv7LQqFDT/fW9mH3qzu9072bJnUaMpu/xKXGUsx8TJddAIHRPsD9Type3Yt6
5hUngPICPvzxY4sDYWzdL2q13g1ysMvbwwPC+ujH138+FxXApLgc3T51hwQjdvgg
wVE9P4Ign1R/RyyUXhicmkGUiNzq/QaM/TXlq92AI0I8myo2AJ9yhyhT4DpdQX4H
ZO4V7m4Etx5JPWI8jyMFvh5aVCFbybv6YZTeJlXi+x2pCUOp8htG4YEAq7bej/DU
yg+kxek1R/bijBIz6s89SCyF6r5adJNpqDSfC1ljgf72mjDczszzsue5X2dRtFgI
+XPgjXxztwrPvXC+snWFGw9wuYLwjexRUCYq2ufFV+J3wR+vNr9rSUffHJerXdKR
7ziOwvXhw9d28NFX6CSzhNhGVscwDH3n8KXWL1WcQXbWBxoOwkRV8kH7NMmcXgnJ
dG0JuU2nyJbSzEoJ72t2omVy2UvEknDoBU4uFNJV8NvA6vL2x/lYbc6DODG/20S+
G7CmZZbe5NZa97XHInn1Tej/3sJIL0g1L7fzFcWPSgqfoo1hd4ciXntb1fUABChg
edN+ElR2SlQlsrHWNbDMnlG9H9CP57DdNn4e3Pbw2c7rF3lCHsXplDP30ZfYJA7a
+LulzQz0mRk=
=M14J
-----END PGP SIGNATURE-----