CloudBees Security Advisory 2018-07-18

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

Users without Overall/Read permission can have Jenkins reset parts of global configuration on the next restart

SECURITY-897

Unauthenticated users could provide maliciously crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. This configuration file contains basic configuration of Jenkins, including the selected security realm and authorization strategy. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

The fix prevents this behavior.

To mitigate this problem, we strongly advise that administrators of Jenkins instances without this fix, that are reachable by untrusted users, save the global configuration shortly before shutting down Jenkins. Doing so will write the current configuration from memory to the config.xml file, which is only read on startup or when reloading configuration.

If Jenkins has already been shut down after this issue has been exploited, the config.xml file can be found at users/$002e$002e/config.xml in the Jenkins home directory.

This issue was caused by the fix for SECURITY-499 in the 2017-11-08 security advisory .

Arbitrary file read vulnerability

SECURITY-914

An arbitrary file read vulnerability in the Stapler web framework used by Jenkins allowed unauthenticated users to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master process has access to.

Input validation in Stapler has been improved to prevent this.

Unauthorized users could cancel queued builds

SECURITY-891

The URLs handling cancellation of queued builds did not perform a permission check, allowing users with Overall/Read permission to cancel queued builds.

The URLs handling cancellation of queued builds now ensure that the user has the Item/Cancel permission.

Unauthorized users could initiate and abort agent launches

SECURITY-892

The URL that initiates agent launches on the Jenkins master did not perform a permission check, allowing users with Overall/Read permission to initiate agent launches.

Doing so canceled all ongoing launches for the specified agent, so this allowed attackers to prevent an agent from launching indefinitely.

The URL for agent launches now ensures that the user has the Agent/Connect permission.

Stored XSS vulnerability

SECURITY-944

The build timeline widget shown on URLs like /view/…/builds did not properly escape display names of items. This resulted in a cross-site scripting vulnerability exploitable by users able to control item display names.

Jenkins now escapes job display names shown on the timeline widget.

Unauthorized users are able to determine when a plugin was extracted from its JPI package

SECURITY-925

Files indicating when a plugin JPI file was last extracted into a subdirectory of plugins/ in the Jenkins home directory was accessible via HTTP by users with Overall/Read permission. This allowed unauthorized users to determine the likely install date of a given plugin.

The affected file is no longer available via HTTP.

XSS vulnerability in Stapler debug mode

SECURITY-390

Stapler is the web framework used by Jenkins to route HTTP requests. When its debug mode is enabled, HTTP 404 error pages display diagnostic information. Those error pages did not escape parts of URLs they displayed, in rare cases resulting in a cross-site scripting vulnerability.

Parts of URLs displayed on these error pages are now properly escaped.

As a workaround, Stapler debug mode should not be enabled on instances accessible to untrusted users.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded 2.121.2.1

  • CloudBees Cloud Platforms should be upgraded 2.121.2.1

  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.121.2.1

  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master 2.x.y.z) should be upgraded to version 2.121.2.1

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master 2.73.x.0.z) should be upgraded to version 2.73.34.0.1

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master 2.73.x.0.z) should be upgraded to version 2.107.33.0.1

  • CloudBees Jenkins Team should be upgraded to version 2.121.2.1

  • DEV@cloud is already protected