Discussion:
[oss-security] Jenkins plugins -- multiple vulnerabilities
(too old to reply)
Florent Rougon
2017-07-13 21:04:45 UTC
Permalink
I saw this on the oss-security mailing-list. If this forwarding is
undesirable, just say so. :-)

Regards
Torsten Dreyer
2017-07-14 08:24:37 UTC
Permalink
I just updated all plugins.
Funny, but /the/ tool for scheduling and running complex tasks has no
option to perform automatic updates for itself.

Anyway - thanks for pointing this one out.

Gene - if you have some time, there is is new Jenkins version out. That's
has to be done locally.
Post by Florent Rougon
I saw this on the oss-security mailing-list. If this forwarding is
undesirable, just say so. :-)
Regards
---------- Forwarded message ----------
Date: Tue, 11 Jul 2017 13:52:16 +0200
Subject: [oss-security] Jenkins plugins -- multiple vulnerabilities
Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software. The following
- Docker Commons Plugin 1.8
- Git Plugin 3.3.2 and 3.4.0-beta-2
- GitHub Branch Source Plugin 2.0.8 and 2.2.0-beta-2
- Parameterized Trigger Plugin 2.35
- Periodic Backup Plugin 1.5
- Pipeline: Build Step Plugin 2.5.1
- Pipeline: Groovy Plugin 2.36.1
- Poll SCM Plugin 1.3.1
- Role-based Authorization Strategy Plugin 2.5.1
- Script Security Plugin 1.29.1
- Sidebar Link Plugin 1.9
- SSH Plugin 2.5
- Subversion Plugin 2.9
Users of these plugins should upgrade them to the indicated versions.
Summary and description of the vulnerabilities are below. Some more
details,
https://jenkins.io/security/advisory/2017-07-10/
https://groups.google.com/d/forum/jenkinsci-advisories
If you find security vulnerabilities in Jenkins, please report them as
https://jenkins.io/security/#reporting-vulnerabilities
---
SECURITY-201 / CVE-2017-1000084
Parameterized Trigger Plugin fails to check Item/Build permission: The
Parameterized Trigger Plugin did not check the build authentication it was
running as and allowed triggering any other project in Jenkins.
SECURITY-303 / CVE-2017-1000085
Subversion Plugin connects to a user-specified Subversion repository as
part
of form validation (e.g. to retrieve a list of tags). This functionality
improperly checked permissions, allowing any user with Item/Build
permission
(but not Item/Configure) to connect to any web server or Subversion server
and send credentials with a known ID, thereby possibly capturing them.
Additionally, this functionality did not require POST requests be used,
thereby allowing the above to be performed without direct access to Jenkins
via Cross-Site Request Forgery attacks.
SECURITY-335 / CVE-2017-1000086
The Periodic Backup Plugin did not perform any permission checks, allowing
any user with Overall/Read access to change its settings, trigger backups,
restore backups, download backups, and also delete all previous backups via
log rotation. Additionally, the plugin was not requiring requests to its
API
be sent via POST, thereby opening itself to Cross-Site Request Forgery
attacks.
SECURITY-342 / CVE-2017-1000087
GitHub Branch Source provides a list of applicable credential IDs to allow
users configuring a job to select the one they’d like to use. This
functionality did not check permissions, allowing any user with
Overall/Read
permission to get a list of valid credentials IDs. Those could be used as
part of an attack to capture the credentials using another vulnerability.
SECURITY-352 / CVE-2017-1000088
The Sidebar Link plugin allows users able to configure jobs, views, and
agents to add entries to the sidebar of these objects. There was no input
validation, which meant users were able to use javascript: schemes for
these
links. Now, only a set of whitelisted schemes are allowed by default.
SECURITY-433 / CVE-2017-1000089
Builds in Jenkins are associated with an authentication that controls the
permissions that the build has to interact with other elements in Jenkins.
The Pipeline: Build Step Plugin did not check the build authentication it
was running as and allowed triggering any other project in Jenkins.
SECURITY-516 / CVE-2017-1000090
Role-based Authorization Strategy Plugin was not requiring requests to its
API be sent via POST, thereby opening itself to Cross-Site Request Forgery
attacks. This allowed attackers to add administrator role to any user, or
to
remove the authorization configuration, preventing legitimate access to
Jenkins.
SECURITY-527 / CVE-2017-1000091
GitHub Branch Source Plugin connects to a user-specified GitHub API URL
(e.g.
GitHub Enterprise) as part of form validation and completion (e.g. to
verify
Scan Credentials are correct). This functionality improperly checked
permissions, allowing any user with Overall/Read access to Jenkins to
connect to any web server and send credentials with a known ID, thereby
possibly capturing them. Additionally, this functionality did not require
POST requests be used, thereby allowing the above to be performed without
direct access to Jenkins via Cross-Site Request Forgery.
SECURITY-528 / CVE-2017-1000092
Git Plugin connects to a user-specified Git repository as part of form
validation. An attacker with no direct access to Jenkins but able to guess
at a username/password credentials ID could trick a developer with job
configuration permissions into following a link with a maliciously crafted
Jenkins URL which would result in the Jenkins Git client sending the
username and password to an attacker-controlled server.
SECURITY-529 / CVE-2017-1000093
Poll SCM Plugin was not requiring requests to its API be sent via POST,
thereby opening itself to Cross-Site Request Forgery attacks. This allowed
attackers to initiate polling of projects with a known name. While Jenkins
in general does not consider polling to be a protection-worthy action as
it’s similar to cache invalidation, the plugin specifically adds a
permission to be able to use this functionality, and this issue undermines
that permission.
SECURITY-533 / CVE-2017-1000094
Docker Commons Plugin provides a list of applicable credential IDs to allow
users configuring a job to select the one they’d like to use to
authenticate
with a Docker Registry. This functionality did not check permissions,
allowing any user with Overall/Read permission to get a list of valid
credentials IDs. Those could be used as part of an attack to capture the
credentials using another vulnerability.
SECURITY-538 / CVE-2017-1000095
The default Script Security Plugin whitelist included the following unsafe
DefaultGroovyMethods.putAt(Object, String, Object)
DefaultGroovyMethods.getAt(Object, String)
These allowed circumventing many of the access restrictions implemented in
the script sandbox by using e.g. currentBuild['rawBuild'] rather than
currentBuild.rawBuild.
Additionally, the following entries could allow accessing private data that
groovy.json.JsonOutput.toJson(Closure)
groovy.json.JsonOutput.toJson(Object).
These have now been removed from the whitelist and added to the blacklist.
SECURITY-551 / CVE-2017-1000096
Arbitrary code execution due to incomplete sandbox protection in Pipeline
Groovy Plugin: Constructors, instance variable initializers, and instance
initializers in Pipeline scripts were not subject to sandbox protection,
and
could therefore execute arbitrary code. This could be exploited e.g. by
regular Jenkins users with the permission to configure Pipelines in
Jenkins,
or by trusted committers to repositories containing Jenkinsfiles. These
language elements are now subject to sandbox protection.
JENKINS-21436
The SSH Plugin stores credentials which allow jobs to access remote servers
via the SSH protocol. User passwords and passphrases for encrypted SSH keys
are stored in plaintext in a configuration file. SSH Plugin now integrates
with the Credentials Plugin and existing credentials are migrated.
--
Florent
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Flightgear-devel mailing list
https://lists.sourceforge.net/lists/listinfo/flightgear-devel
--
Torsten Dreyer
Florent Rougon
2017-07-14 13:14:11 UTC
Permalink
Post by Torsten Dreyer
I just updated all plugins.
Funny, but /the/ tool for scheduling and running complex tasks has no
option to perform automatic updates for itself.
Heh. Thank you, Torsten!
--
Florent
geneb
2017-07-14 14:13:38 UTC
Permalink
Post by Torsten Dreyer
Gene - if you have some time, there is is new Jenkins version out. That's
has to be done locally.
Thanks.

We're now at 2.69-1.1

g.
--
Proud owner of F-15C 80-0007
http://www.f15sim.com - The only one of its kind.
http://www.diy-cockpits.org/coll - Go Collimated or Go Home.
Some people collect things for a hobby. Geeks collect hobbies.

ScarletDME - The red hot Data Management Environment
A Multi-Value database for the masses, not the classes.
http://scarlet.deltasoft.com - Get it _today_!
Loading...