Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3765 Jenkins Security Advisory 2018-12-05 6 December 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Jenkins Publisher: Jenkins project Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Unauthorised Access -- Existing Account Resolution: Patch/Upgrade Original Bulletin: https://jenkins.io/security/advisory/2018-12-05/ - --------------------------BEGIN INCLUDED TEXT-------------------- Jenkins Security Advisory 2018-12-05 This advisory announces vulnerabilities in the following Jenkins deliverables: * Jenkins (core) Descriptions Code execution through crafted URLs SECURITY-595 / CVE pending Jenkins uses the Stapler web framework for HTTP request handling. Stapler's basic premise is that it uses reflective access to code elements matching its naming conventions. For example, any public method whose name starts with get, and that has a String, int, long, or no argument can be invoked this way on objects that are reachable through these means. As these naming conventions closely match common code patterns in Java, accessing crafted URLs could invoke methods never intended to be invoked this way. As of publication of this advisory, we are aware of the following potential attacks in the latest Jenkins releases that do not yet contain this fix: * Unauthenticated users can invalidate all sessions when running Jenkins with the built-in Winstone-Jetty server. * Users with Overall/Read permission could create new user objects in memory. * Users with Overall/Read access could manually kick off otherwise periodically executed runs of implementations of AsyncPeriodicWork. The previous two Jenkins security updates, LTS 2.121.3 and 2.138, as well as Jenkins LTS 2.138.2 and 2.146 included changes that prevent a number of other attacks resulting from this vulnerability. The following is a selection of attacks that were discovered during fix development, and are already being prevented on current releases of Jenkins: * Up to Jenkins 2.121.2 or 2.137, unauthenticated users could bypass Overall/ Read and Job/Read permission checks and access information about builds in jobs with currently running builds, such as their build logs. * Up to Jenkins 2.121.2 or 2.137, users with Overall/Read access could bypass Job/Read permission checks for all jobs. It was also possible to enumerate all top-level jobs on a given instance. * Up to Jenkins 2.121.2 or 2.137, unauthenticated users could access the environment variables defined for the Jenkins master itself, or any agent process. * Up to Jenkins 2.138.1 or 2.145, users with Overall/Read and Credentials/ View permissions could enumerate all credentials stored in the system-wide credentials store, and access the user names and passwords (Credentials Plugin). Up to Jenkins 2.121.2 or 2.138, only the Credentials/View permission was required. * Up to Jenkins 2.138.1 or 2.145, unauthenticated users could access the LDAP password from the configuration of the LDAP security realm (LDAP Plugin). The security-related improvements released in Jenkins LTS 2.121.3 and 2.138, as well as Jenkins LTS 2.138.2 and 2.146 are an important part Important of this fix, and we strongly recommend not disabling them. Disabling them enables some of the attacks described above. Previously published documentation has been updated. Given the vast potential attack surface, we fully expect other attacks, that we are not currently aware of, to be possible on Jenkins releases that do not have this fix applied. This is reflected in the high score we assigned to this issue, rather than limiting the score to the impact through known issues. The Stapler web framework has been extended with a Service Provider Interface (SPI) that allows methods and fields to be excluded from routing. The implementation of that SPI in Jenkins now restricts which getter methods, do* action methods, and fields can be invoked reflectively by Stapler. Further details are available in the developer documentation: * Making Object Accessible via Stapler * Web Methods * Restricting HTTP Access to AccessControlled Objects This change is expected to impact existing functionality in some plugins. The most likely effect is that some URLs now return 404 Not Found. In rare Note cases, the responses returned might not be 404 Not Found, but still different than they would have been before this fix was applied. We track known affected plugins and their status in the Jenkins wiki. Forced migration of user records SECURITY-1072 / CVE pending The fix for SECURITY-499 introduced a mechanism that renamed user directories on disk as a user with an unsafe user name (user ID) is loaded. Insufficient input validation allowed attackers to rename such user directories even for users with a safe user name by submitting a crafted user name when attempting to log in, even with an invalid password. Doing so prevented users from logging in successfully afterwards. Jenkins no longer uses directory names as a reference for user names, making the on-load migration of user records unnecessary. Instead, the new file users/ users.xml is used to map user names to the directories containing the user metadata. On the first startup after updating Jenkins to a version containing this fix, existing legacy user directories are migrated. For further advice related to this user record migration, see the LTS upgrade guide. Workspace browser allowed accessing files outside the workspace SECURITY-904 / CVE pending The file browser for workspaces, archived artifacts, and $JENKINS_HOME/ userContent/ followed symbolic links to locations outside the directory being browsed. While builds typically have access to the file system outside the workspace allocated by Jenkins, this should not extend to beyond the execution of a build on that agent. Notably, the configuration may have been changed to not allow a build to run on a given agent, but the workspace used during the previous execution still exists, and could allow browsing the file system outside the workspace. Neither browsing through the UI nor downloading directory content as a ZIP file allow accessing directories and files outside the workspace anymore. In rare cases, it may be desirable to disable this fix. To do so, set the Java system property hudson.model.DirectoryBrowserSupport.allowSymlinkEscape to true. Learn more about system properties in Jenkins. While the same component allows browsing archived artifacts, this fix does not apply to archived artifacts. Valid symbolic links are archived as the Note files and directories they point to on the agent, while invalid symlinks cannot escape the root directory for archived artifacts on the Jenkins master. This was previously fixed as SECURITY-162 in the 2018-02-27 security advisory. Potential denial of service through cron expression form validation SECURITY-1193 / CVE pending The form validation for cron expressions (e.g. "Poll SCM", "Build periodically") could enter infinite loops when cron expressions only matching certain rare dates were entered, blocking request handling threads indefinitely. Severity * SECURITY-595: critical * SECURITY-904: medium * SECURITY-1072: medium * SECURITY-1193: medium Affected Versions * Jenkins weekly up to and including 2.153 * Jenkins LTS up to and including 2.138.3 Fix * Jenkins weekly should be updated to version 2.154 * Jenkins LTS should be updated to version either 2.138.4 or 2.150.1 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: * Apple Information Security for SECURITY-904 * Daniel Beck, CloudBees, Inc., Jesse Glick, CloudBees, Inc., and Wadeck Follonier, CloudBees, Inc.; and, independently, Apple Information Security; Evan Grant of Tenable; and Orange Tsai(@orange_8361) from DEVCORE for SECURITY-595 * Denis Shvedchenko, Sphere, Inc. for SECURITY-1193 * Nimrod Stoler of CyberArk Labs, and, independently, Evan Grant of Tenable for SECURITY-1072 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXAhlC2aOgq3Tt24GAQh7YRAAllFOsM2hSvVYH0Vy/P4A496w+ByVDyE1 st6Z2eNhYsc8SbMPU0Lt2TmZcm9slQCrexPTXyL+dVDvrHw19UALmQFPVuuu4DdN eI8AqXHLCuG70IHbkV7HrnZBeXvCCsJTXb4UAVFEpIRhL6AuS7lXH8v1ZY1JnLsi G4hOWFOycxiuem7KOiDfZ5gijz67nlNQiqn0bYyJ8IdOnblEuMnyLKckL0AEOFtt Q9/B04msfUqYD/pQBfzhsfVFiZw7qx+La/LqfA040Du5oZ+rBdvS/n0vI5R/E2wR +zFnRIpLEC3AvctN0IJeMR+VcN48a2jpIjC+dht5HdjnyIAdOMHBPfS5rkWQfVvM +goV7Lxzid47ZyDA4ZaeINCfaC9WmgNqm5r36hbpinnF4YJz/J8bKQGTvhw/zcmb sHMDZeYCgCx7qVop/6BHkvgsuuklM4yWHQ4mYlRyJdXbGO0nojNctQ/AoKv1n/bl a1gSMpOo89IvqeyQ0HrUfKLTd0fLIiSTMAg78tSdLDxqgO4rsQahVliMvamNfr1b ybOPwg5i4ycs4MxbkhZOtoAgsoMTAlHZtZ61LQcuRy0fJLs7+rqLTsQ9M7iRvTJr GICm5SLlXC4LIVZkbhjRlR2LlFq1KZvhWiyqz2J+6UMlE8DKHpHbj1c9sCLo/3fa bl7Lc+bRgAE= =Mccr -----END PGP SIGNATURE-----