Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 11 Jul 2017 13:52:16 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Jenkins plugins -- multiple vulnerabilities

Jenkins is an open source automation server which enables developers around 
the world to reliably build, test, and deploy their software. The following 
plugin releases contain fixes for security vulnerabilities:

- Docker Commons Plugin 1.8
- Git Plugin 3.3.2 and 3.4.0-beta-2
- GitHub Branch Source Plugin 2.0.8 and 2.2.0-beta-2
- Parameterized Trigger Plugin 2.35
- Periodic Backup Plugin 1.5
- Pipeline: Build Step Plugin 2.5.1
- Pipeline: Groovy Plugin 2.36.1
- Poll SCM Plugin 1.3.1
- Role-based Authorization Strategy Plugin 2.5.1
- Script Security Plugin 1.29.1
- Sidebar Link Plugin 1.9
- SSH Plugin 2.5
- Subversion Plugin 2.9

Users of these plugins should upgrade them to the indicated versions.

Summary and description of the vulnerabilities are below. Some more details, 
severity, and attribution can be found here:
https://jenkins.io/security/advisory/2017-07-10/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you find security vulnerabilities in Jenkins, please report them as 
described here:
https://jenkins.io/security/#reporting-vulnerabilities

---


SECURITY-201 / CVE-2017-1000084
Parameterized Trigger Plugin fails to check Item/Build permission: The 
Parameterized Trigger Plugin did not check the build authentication it was 
running as and allowed triggering any other project in Jenkins.

SECURITY-303 / CVE-2017-1000085
Subversion Plugin connects to a user-specified Subversion repository as part 
of form validation (e.g. to retrieve a list of tags). This functionality 
improperly checked permissions, allowing any user with Item/Build permission 
(but not Item/Configure) to connect to any web server or Subversion server 
and send credentials with a known ID, thereby possibly capturing them. 
Additionally, this functionality did not require POST requests be used, 
thereby allowing the above to be performed without direct access to Jenkins 
via Cross-Site Request Forgery attacks.

SECURITY-335 / CVE-2017-1000086
The Periodic Backup Plugin did not perform any permission checks, allowing 
any user with Overall/Read access to change its settings, trigger backups, 
restore backups, download backups, and also delete all previous backups via 
log rotation. Additionally, the plugin was not requiring requests to its API 
be sent via POST, thereby opening itself to Cross-Site Request Forgery 
attacks.

SECURITY-342 / CVE-2017-1000087
GitHub Branch Source provides a list of applicable credential IDs to allow 
users configuring a job to select the one they’d like to use. This 
functionality did not check permissions, allowing any user with Overall/Read 
permission to get a list of valid credentials IDs. Those could be used as 
part of an attack to capture the credentials using another vulnerability.

SECURITY-352 / CVE-2017-1000088
The Sidebar Link plugin allows users able to configure jobs, views, and 
agents to add entries to the sidebar of these objects. There was no input 
validation, which meant users were able to use javascript: schemes for these 
links. Now, only a set of whitelisted schemes are allowed by default.

SECURITY-433 / CVE-2017-1000089
Builds in Jenkins are associated with an authentication that controls the 
permissions that the build has to interact with other elements in Jenkins. 
The Pipeline: Build Step Plugin did not check the build authentication it 
was running as and allowed triggering any other project in Jenkins.

SECURITY-516 / CVE-2017-1000090
Role-based Authorization Strategy Plugin was not requiring requests to its 
API be sent via POST, thereby opening itself to Cross-Site Request Forgery 
attacks. This allowed attackers to add administrator role to any user, or to 
remove the authorization configuration, preventing legitimate access to 
Jenkins.

SECURITY-527 / CVE-2017-1000091
GitHub Branch Source Plugin connects to a user-specified GitHub API URL (e.g.
GitHub Enterprise) as part of form validation and completion (e.g. to verify 
Scan Credentials are correct). This functionality improperly checked 
permissions, allowing any user with Overall/Read access to Jenkins to 
connect to any web server and send credentials with a known ID, thereby 
possibly capturing them. Additionally, this functionality did not require 
POST requests be used, thereby allowing the above to be performed without 
direct access to Jenkins via Cross-Site Request Forgery.

SECURITY-528 / CVE-2017-1000092
Git Plugin connects to a user-specified Git repository as part of form 
validation. An attacker with no direct access to Jenkins but able to guess 
at a username/password credentials ID could trick a developer with job 
configuration permissions into following a link with a maliciously crafted 
Jenkins URL which would result in the Jenkins Git client sending the 
username and password to an attacker-controlled server.

SECURITY-529 / CVE-2017-1000093
Poll SCM Plugin was not requiring requests to its API be sent via POST, 
thereby opening itself to Cross-Site Request Forgery attacks. This allowed 
attackers to initiate polling of projects with a known name. While Jenkins 
in general does not consider polling to be a protection-worthy action as 
it’s similar to cache invalidation, the plugin specifically adds a 
permission to be able to use this functionality, and this issue undermines 
that permission.

SECURITY-533 / CVE-2017-1000094
Docker Commons Plugin provides a list of applicable credential IDs to allow 
users configuring a job to select the one they’d like to use to authenticate 
with a Docker Registry. This functionality did not check permissions, 
allowing any user with Overall/Read permission to get a list of valid 
credentials IDs. Those could be used as part of an attack to capture the 
credentials using another vulnerability.

SECURITY-538 / CVE-2017-1000095
The default Script Security Plugin whitelist included the following unsafe 
entries:

    DefaultGroovyMethods.putAt(Object, String, Object)
    DefaultGroovyMethods.getAt(Object, String)

These allowed circumventing many of the access restrictions implemented in 
the script sandbox by using e.g. currentBuild['rawBuild'] rather than 
currentBuild.rawBuild.

Additionally, the following entries could allow accessing private data that 
would not be accessible otherwise from the sandboxed environment:

    groovy.json.JsonOutput.toJson(Closure)
    groovy.json.JsonOutput.toJson(Object).

These have now been removed from the whitelist and added to the blacklist.

SECURITY-551 / CVE-2017-1000096
Arbitrary code execution due to incomplete sandbox protection in Pipeline 
Groovy Plugin: Constructors, instance variable initializers, and instance 
initializers in Pipeline scripts were not subject to sandbox protection, and 
could therefore execute arbitrary code. This could be exploited e.g. by 
regular Jenkins users with the permission to configure Pipelines in Jenkins, 
or by trusted committers to repositories containing Jenkinsfiles. These 
language elements are now subject to sandbox protection.

JENKINS-21436
The SSH Plugin stores credentials which allow jobs to access remote servers 
via the SSH protocol. User passwords and passphrases for encrypted SSH keys 
are stored in plaintext in a configuration file. SSH Plugin now integrates 
with the Credentials Plugin and existing credentials are migrated.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ