This advisory announces multiple vulnerabilities in Jenkins and CloudBees Jenkins Platform.
These vulnerabilities affect the following components:
CloudBees Jenkins Operations Center
CloudBees Jenkins Enterprise
DEV@cloud
Jenkins
CloudBees Role-based Access Control Plugin
CSRF vulnerability in RBAC Plugin permission management
CJP-5866 / CVE-2016-9887
Several URLs related to group and role management did not require POST form submission, resulting in a CSRF vulnerability. Affected URLs allowed creation of (unused) roles, deletion of (unused) roles, and setting group descriptions. No permissions could be changed by exploiting this vulnerability.
Use of AES ECB block cipher mode without IV for encrypting secrets
SECURITY-304 / CVE-2017-2598
Secrets such as passwords are typically stored on disk and sent to users as part of some pages in encrypted form. These were encrypted using AES-128 ECB without IV, which exposes Jenkins and the stored secrets to unnecessary risks. Jenkins now encrypts secrets using AES-128 CBC with random IV.
Items could be created with same name as existing item
SECURITY-321 / CVE-2017-2599
An insufficient permission check allowed users with the permission to create new items (e.g. jobs) to overwrite existing items they don’t have access to. After a Jenkins restart, children of the original item, such as builds, were then accessible in some circumstances.
Node monitor data could be viewed by low privilege users
SECURITY-343 / CVE-2017-2600
Overall/Read permission was sufficient to access node monitor data via the remote API. These included system configuration and runtime information of these nodes.
Possible cross-site scripting vulnerability in jQuery bundled with timeline widget
SECURITY-349 / CVE-2011-4969
The Simile timeline widget used on build history pages bundles an outdated jQuery vulnerable to CVE-2011-4969. We were unable to confirm that Jenkins is vulnerable, but updated the jQuery version bundled with the Simile timeline widget anyway.
Persisted cross-site scripting vulnerability in parameter names and descriptions
SECURITY-353 / CVE-2017-2601
Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.
Outdated jbcrypt version bundled with Jenkins
SECURITY-354 / CVE-2015-0886
Jenkins bundled an outdated version of jbcrypt that was affected by CVE-2015-0886.
Pipeline metadata files not blacklisted in agent-to-master security subsystem
SECURITY-358 / CVE-2017-2602
The Pipeline suite of plugins stored build metadata in the file
program.dat
and the directory
workflow/
These were not blacklisted in the agent-to-master security subsystem and could therefore be written to by malicious agents.
User data leak in disconnected agents' config.xml API
SECURITY-362 / CVE-2017-2603
Agents that were disconnected by users contained the disconnecting user’s User object in serialized form in the
config.xml
remote API output. This could leak sensitive data such as API tokens.
Low privilege users were able to act on administrative monitors
SECURITY-371 / CVE-2017-2604
Administrative monitors are warnings about the system state shown to Jenkins admins. They sometimes provide actions to e.g. automatically address the reported problem, or disable the warning. These actions were not consistently protected by permission checks, thereby allowing low privilege users to act on them.
All administrative monitors now require the user accessing them to be an administrator.
Re-key admin monitor leaves behind unencrypted credentials in upgraded installations
SECURITY-376 / CVE-2017-2605
The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards.
Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory
$JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups
and delete it, if present.
Internal API allowed access to item names that should not be visible
SECURITY-380 / CVE-2017-2606
The method
Jenkins#getItems()
included a performance optimization that resulted in all items being returned if the Logged in users can do anything authorization strategy was used, and no access was granted to anonymous users (an option added in Jenkins 2.0). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an
UnprotectedRootAction
Persisted cross-site scripting vulnerability in console notes
SECURITY-382 / CVE-2017-2607
Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Popular examples include the highlighting of sections by Ant Plugin, or the timestamp metadata from Timestamper. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs.
To prevent this, console notes are now signed by Jenkins when created, and Jenkins will only deserialize correctly signed console notes. As a side effect, console notes created before updating to a release containing this fix will no longer be deserialized. To restore the previous (unsafe) behavior, set the system property
hudson.console.ConsoleNote.INSECURE
to true.
XStream remote code execution vulnerability
SECURITY-383 / CVE-2017-2608
XStream-based APIs in Jenkins (e.g.
/createItem URLs
or
POST config.xml
remote API) were vulnerable to a remote code execution vulnerability involving the deserialization of various types in
javax.imageio
In case this extension of the blacklist results in regressions, the blacklist can be customized.
Information disclosure vulnerability in search suggestions
SECURITY-385 / CVE-2017-2609
The autocompletion for the search box provided the names of views the current user does not have access to in its suggestions. These suggestions were removed.
Persisted cross-site scripting vulnerability in search suggestions
SECURITY-388 / CVE-2017-2610
Jenkins allows the creation of users with less-than and greater-than characters in their names. These user names were not escaped when displaying search suggestions, resulting in a cross-site scripting vulnerability.
Insufficient permission check for periodic processes
SECURITY-389 / CVE-2017-2611
The URLs
/workspaceCleanup
and
/fingerprintCleanup
did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.
Low privilege users were able to override JDK download credentials
SECURITY-392 / CVE-2017-2612
Jenkins allows administrators to enter their username and password to the Oracle download site which provides JDKs for download. Users with read access to Jenkins were able to override these credentials, resulting in future builds possibly failing to download a JDK. A permission check has been added.
User creation CSRF using GET by admins
SECURITY-406 / CVE-2017-2613
When administrators accessed a URL like
/user/example
via HTTP GET, a user with the ID
example
was created if it did not exist. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records.
Accessing these URLs now no longer results in a user record getting created, Jenkins will respond with 404 Not Found if no such user exists. When using the internal Jenkins user database, new users can be created via Manage Jenkins » Manage Users. To restore the previous (unsafe) behavior, set the system property
hudson.model.User.allowUserCreationViaUrl to true.