Operating System:

[WIN][UNIX/Linux]

Published:

25 February 2019

Protect yourself against future threats.

//Service

AusCERT Education

Enhance your knowledge with our exceptional one day training offerings for individuals and organisations

Read more
Resources > Security Bulletins > ESB-2019.0564 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0564
                   Jenkins Security Advisory 2019-02-19
                             25 February 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Jenkins plugins
Publisher:         Jenkins
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Cross-site Request Forgery -- Existing Account
                   Access Confidential Data   -- Existing Account
                   Unauthorised Access        -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-1003028 CVE-2019-1003027 CVE-2019-1003026
                   CVE-2019-1003025 CVE-2019-1003024 

Original Bulletin: 
   https://jenkins.io/security/advisory/2019-02-19/

- --------------------------BEGIN INCLUDED TEXT--------------------

Jenkins Security Advisory 2019-02-19

This advisory announces vulnerabilities in the following Jenkins deliverables:

    Acunetix Plugin
    Arxan MAM Publisher Plugin
    Cloud Foundry Plugin
    ElectricFlow Plugin
    JMS Messaging Plugin
    Mattermost Notification Plugin
    OctopusDeploy Plugin
    Script Security Plugin

Descriptions

Sandbox Bypasses in Script Security Plugin SECURITY-1320 / CVE-2019-1003024

The previously implemented script security sandbox protections prohibiting the
use of unsafe AST transforming annotations such as @Grab (2019-01-08 fix for 
SECURITY-1266) could be circumvented through use of various Groovy language 
features:

    Use of AnnotationCollector
    Import aliasing
    Referencing annotation types using their full class name

This allowed users with Overall/Read permission, or the ability to control 
Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass 
the sandbox protection and execute arbitrary code on the Jenkins master.

Using AnnotationCollector is now newly prohibited in sandboxed scripts such as
Pipelines. Importing any of the annotations considered unsafe will now result
in an error. During the compilation phase, both simple and full class names of
prohibited annotations are rejected for element annotations. 


CSRF vulnerability and missing permission checks in Cloud Foundry Plugin 
allowed capturing credentials SECURITY-876 / CVE-2019-1003025

Cloud Foundry Plugin did not perform permission checks on a method 
implementing form validation. This allowed users with Overall/Read access to 
Jenkins to connect to an attacker-specified URL using attacker-specified 
credentials IDs obtained through another method, capturing credentials stored
in Jenkins.

Additionally, this form validation method did not require POST requests, 
resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer
(for global configuration) or Item/Configure permissions (for job 
configuration). 

SSRF vulnerability due to missing permission check in Mattermost Notification 
Plugin SECURITY-985 / CVE-2019-1003026

A missing permission check in a form validation method in Mattermost 
Notification Plugin allowed users with Overall/Read permission to initiate a 
connection test, connecting to an attacker-specified Mattermost server and 
room and posting a message.

Additionally, this form validation method did not require POST requests, 
resulting in a CSRF vulnerability.

This form validation method now requires POST requests and performs a 
permission check. 

SSRF vulnerability due to missing permission check in OctopusDeploy Plugin 
SECURITY-817 / CVE-2019-1003027

A missing permission check in a form validation method in OctopusDeploy Plugin
allowed users with Overall/Read permission to initiate a connection test, 
sending an HTTP HEAD request to an attacker-specified URL, returning HTTP 
response code if successful, or exception error message otherwise.

Additionally, this form validation method did not require POST requests, 
resulting in a CSRF vulnerability.

This form validation method now requires POST requests and performs a 
permission check. 

SSRF vulnerability due to missing permission check in JMS Messaging Plugin 
SECURITY-1033 / CVE-2019-1003028

A missing permission check in a form validation method in JMS Messaging Plugin
allowed users with Overall/Read permission to initiate a connection test, 
sending an HTTP request to an attacker-specified URL.

Additionally, this form validation method did not require POST requests, 
resulting in a CSRF vulnerability.

This form validation method now requires POST requests and performs a 
permission check. ElectricFlow Plugin globally and unconditionally disabled 

SSL/TLS certificate validation SECURITY-937

ElectricFlow Plugin unconditionally disabled SSL/TLS certificate validation 
for the entire Jenkins master JVM.

ElectricFlow Plugin 1.1.5 and newer no longer do that. Acunetix Plugin stored

API key in plain text SECURITY-951

Acunetix Plugin stored the API Key in its configuration unencrypted in its 
global configuration file on the Jenkins master. This key could be viewed by 
users with access to the master file system.

The plugin now integrates with Credentials Plugin. 

SSRF vulnerability due to missing permission check in Acunetix Plugin 
SECURITY-980

A missing permission check in a form validation method in Acunetix Plugin 
allowed users with Overall/Read permission to initiate a connection test, 
sending an HTTP GET request to an attacker-specified URL, adding a /me suffix,
returning whether the connection could be established and whether the HTTP 
response code is 200.

Additionally, this form validation method did not require POST requests, 
resulting in a CSRF vulnerability.

This form validation method now requires POST requests and performs a 
permission check. Arxan MAM Publisher Plugin stored password in plain text 
SECURITY-1070

Arxan MAM Publisher Plugin stored the username and password connection 
credentials in its configuration unencrypted in jobs' config.xml files on the
Jenkins master. This key could be viewed by users with Extended Read 
permission, or access to the master file system.

While masked from view using a password form field, the password was 
transferred in plain text to users when accessing the job configuration form.

The plugin now integrates with Credentials Plugin. Severity

    SECURITY-817: medium
    SECURITY-876: medium
    SECURITY-937: medium
    SECURITY-951: low
    SECURITY-980: medium
    SECURITY-985: medium
    SECURITY-1033: medium
    SECURITY-1070: medium
    SECURITY-1320: high

Affected Versions

    Acunetix Plugin up to and including 1.0.0
    Arxan MAM Publisher Plugin up to and including 1.2.12
    Cloud Foundry Plugin up to and including 2.3.1
    ElectricFlow Plugin up to and including 1.1.4
    JMS Messaging Plugin up to and including 1.1.1
    Mattermost Notification Plugin up to and including 2.6.2
    OctopusDeploy Plugin up to and including 1.8.1
    Script Security Plugin up to and including 1.52

Fix

    Acunetix Plugin should be updated to version 1.1.0
    Arxan MAM Publisher Plugin should be updated to version 2.0
    Cloud Foundry Plugin should be updated to version 2.3.2
    ElectricFlow Plugin should be updated to version 1.1.5
    JMS Messaging Plugin should be updated to version 1.1.2
    Mattermost Notification Plugin should be updated to version 2.6.3
    OctopusDeploy Plugin should be updated to version 1.9.0
    Script Security Plugin should be updated to version 1.53

These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless 
otherwise indicated. Credit

The Jenkins project would like to thank the reporters for discovering and 
reporting these vulnerabilities:

    Daniel Beck, CloudBees, Inc. for SECURITY-937, SECURITY-1320
    Thomas de Grenier de Latour for SECURITY-817, SECURITY-876
    Viktor Gazdag for SECURITY-951, SECURITY-980, SECURITY-985, SECURITY-1033,
    SECURITY-1070

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXHOOd2aOgq3Tt24GAQiORQ//SqI+MBa3IKfTDpHKa7qFp1YgCShfWDfW
YjtgcoMxJeIH81dYuk9eFHPGbhTRIajOhYALh420E7ANNePMze1o7r36WyAXFtzq
SJXyDL68Bjc7lCoj/W9Qo20iGg4qvSQ7AJTc0OyTxPb0nSzsodBE9Br0EvkobQB4
RyTFKOQymIjZ9hk2Mi/ns4CucV2otpWp4m174Fpe2Tj6/2PHgWGoZ1zdn7AshZFW
kypgBU16X37KHTIHrV2CCYx39yaajBDj+Q4k5whjyxA7rNYZ3NJTcQqeJu+z7lLH
EcNx0zm0V0vy/qyeBTjiZ2KOucqGKHVEnje94GPh8imcGQJx/WyFQJ0Zeq442jsh
2YmVBRCtEfIggD+VeXil/gij2iwCxQmdyqO3lwP0O7vtHPU4bSSSW8zxpPnJC198
DhArubPgEKKqbj4YgBrjaBJp9tniBhaqxrkjBLLJ5GzSvPaFPYbZsfaYSycbhzPc
FyMoYfOyleHw6wVJ4zjS+pz6QVIj1fxrEUeIP+/RezRTztLOOG0UsgpYLUKX0IUH
9DTRRHzOR/QZ+PPoPjVlulAnogaDqRPObpinccWciYiHhSchTqjKOOXrV9mIwgk9
lKwGF6TJwJRXeyv1jm9INv/PTto6SGZLXcKnfy8RH8kkfqJY882RCOMwlWQ0srBp
L120cqIC9E0=
=20Qa
-----END PGP SIGNATURE-----