Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

                   Jenkins Security Advisory 2018-12-05
                              6 December 2018


        AusCERT Security Bulletin Summary

Product:           Jenkins
Publisher:         Jenkins project
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Modify Arbitrary Files -- Remote/Unauthenticated
                   Denial of Service      -- Remote/Unauthenticated
                   Unauthorised Access    -- Existing Account      
Resolution:        Patch/Upgrade

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Jenkins Security Advisory 2018-12-05

This advisory announces vulnerabilities in the following Jenkins deliverables:

  * Jenkins (core)


Code execution through crafted URLs

SECURITY-595 / CVE pending

Jenkins uses the Stapler web framework for HTTP request handling. Stapler's
basic premise is that it uses reflective access to code elements matching its
naming conventions. For example, any public method whose name starts with get,
and that has a String, int, long, or no argument can be invoked this way on
objects that are reachable through these means. As these naming conventions
closely match common code patterns in Java, accessing crafted URLs could invoke
methods never intended to be invoked this way.

As of publication of this advisory, we are aware of the following potential
attacks in the latest Jenkins releases that do not yet contain this fix:

  * Unauthenticated users can invalidate all sessions when running Jenkins with
    the built-in Winstone-Jetty server.

  * Users with Overall/Read permission could create new user objects in memory.

  * Users with Overall/Read access could manually kick off otherwise
    periodically executed runs of implementations of AsyncPeriodicWork.

The previous two Jenkins security updates, LTS 2.121.3 and 2.138, as well as
Jenkins LTS 2.138.2 and 2.146 included changes that prevent a number of other
attacks resulting from this vulnerability. The following is a selection of
attacks that were discovered during fix development, and are already being
prevented on current releases of Jenkins:

  * Up to Jenkins 2.121.2 or 2.137, unauthenticated users could bypass Overall/
    Read and Job/Read permission checks and access information about builds in
    jobs with currently running builds, such as their build logs.

  * Up to Jenkins 2.121.2 or 2.137, users with Overall/Read access could bypass
    Job/Read permission checks for all jobs. It was also possible to enumerate
    all top-level jobs on a given instance.

  * Up to Jenkins 2.121.2 or 2.137, unauthenticated users could access the
    environment variables defined for the Jenkins master itself, or any agent

  * Up to Jenkins 2.138.1 or 2.145, users with Overall/Read and Credentials/
    View permissions could enumerate all credentials stored in the system-wide
    credentials store, and access the user names and passwords (Credentials
    Plugin). Up to Jenkins 2.121.2 or 2.138, only the Credentials/View
    permission was required.

  * Up to Jenkins 2.138.1 or 2.145, unauthenticated users could access the LDAP
    password from the configuration of the LDAP security realm (LDAP Plugin).

          The security-related improvements released in Jenkins LTS 2.121.3 and
          2.138, as well as Jenkins LTS 2.138.2 and 2.146 are an important part
Important of this fix, and we strongly recommend not disabling them. Disabling
          them enables some of the attacks described above. Previously
          published documentation has been updated.

Given the vast potential attack surface, we fully expect other attacks, that we
are not currently aware of, to be possible on Jenkins releases that do not have
this fix applied. This is reflected in the high score we assigned to this
issue, rather than limiting the score to the impact through known issues.

The Stapler web framework has been extended with a Service Provider Interface
(SPI) that allows methods and fields to be excluded from routing. The
implementation of that SPI in Jenkins now restricts which getter methods, do*
action methods, and fields can be invoked reflectively by Stapler. Further
details are available in the developer documentation:

  * Making Object Accessible via Stapler

  * Web Methods

  * Restricting HTTP Access to AccessControlled Objects

     This change is expected to impact existing functionality in some plugins.
     The most likely effect is that some URLs now return 404 Not Found. In rare
Note cases, the responses returned might not be 404 Not Found, but still
     different than they would have been before this fix was applied. We track
     known affected plugins and their status in the Jenkins wiki.

Forced migration of user records

SECURITY-1072 / CVE pending

The fix for SECURITY-499 introduced a mechanism that renamed user directories
on disk as a user with an unsafe user name (user ID) is loaded. Insufficient
input validation allowed attackers to rename such user directories even for
users with a safe user name by submitting a crafted user name when attempting
to log in, even with an invalid password. Doing so prevented users from logging
in successfully afterwards.

Jenkins no longer uses directory names as a reference for user names, making
the on-load migration of user records unnecessary. Instead, the new file users/
users.xml is used to map user names to the directories containing the user

On the first startup after updating Jenkins to a version containing this fix,
existing legacy user directories are migrated. For further advice related to
this user record migration, see the LTS upgrade guide.

Workspace browser allowed accessing files outside the workspace

SECURITY-904 / CVE pending

The file browser for workspaces, archived artifacts, and $JENKINS_HOME/
userContent/ followed symbolic links to locations outside the directory being

While builds typically have access to the file system outside the workspace
allocated by Jenkins, this should not extend to beyond the execution of a build
on that agent. Notably, the configuration may have been changed to not allow a
build to run on a given agent, but the workspace used during the previous
execution still exists, and could allow browsing the file system outside the

Neither browsing through the UI nor downloading directory content as a ZIP file
allow accessing directories and files outside the workspace anymore.

In rare cases, it may be desirable to disable this fix. To do so, set the Java
system property hudson.model.DirectoryBrowserSupport.allowSymlinkEscape to
true. Learn more about system properties in Jenkins.

     While the same component allows browsing archived artifacts, this fix does
     not apply to archived artifacts. Valid symbolic links are archived as the
Note files and directories they point to on the agent, while invalid symlinks
     cannot escape the root directory for archived artifacts on the Jenkins
     master. This was previously fixed as SECURITY-162 in the 2018-02-27
     security advisory.

Potential denial of service through cron expression form validation

SECURITY-1193 / CVE pending

The form validation for cron expressions (e.g. "Poll SCM", "Build
periodically") could enter infinite loops when cron expressions only matching
certain rare dates were entered, blocking request handling threads


  * SECURITY-595: critical
  * SECURITY-904: medium
  * SECURITY-1072: medium
  * SECURITY-1193: medium

Affected Versions

  * Jenkins weekly up to and including 2.153
  * Jenkins LTS up to and including 2.138.3


  * Jenkins weekly should be updated to version 2.154
  * Jenkins LTS should be updated to version either 2.138.4 or 2.150.1

These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.


The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:

  * Apple Information Security for SECURITY-904
  * Daniel Beck, CloudBees, Inc., Jesse Glick, CloudBees, Inc., and Wadeck
    Follonier, CloudBees, Inc.; and, independently, Apple Information Security;
    Evan Grant of Tenable; and Orange Tsai(@orange_8361) from DEVCORE for
  * Denis Shvedchenko, Sphere, Inc. for SECURITY-1193
  * Nimrod Stoler of CyberArk Labs, and, independently, Evan Grant of Tenable 
    for SECURITY-1072

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967