Registration for DevOps World Virtual is now live! Join us on September 17 to celebrate 20 years of Jenkins →

CloudBees Security Advisory 2024-08-07

This advisory announces vulnerabilities in CloudBees CI, Jenkins and CloudBees Jenkins Platform

Folder CasC export is showing Vault SSH private keys in plain text

BEE-50825
Severity (CVSS): Medium
Description:

In the exported YAML file, the key `privateKeys` was showing the SSH private keys in plain text for CloudBees HashiCorp Vault SSH credentials. This key was removed from the export.

Arbitrary file read vulnerability through agent connections can lead to RCE

SECURITY-3430 / CVE-2024-43044
Severity (CVSS): Critical
Description:

This entry was updated on 2024-08-12 to add a reference to a workaround.

Jenkins uses the Remoting library (typically agent.jar or remoting.jar) for the communication between controller and agents. This library allows agents to load classes and classloader resources from the controller, so that Java objects sent from the controller (build steps, etc.) can be executed on agents.

In addition to individual class and resource files, Remoting also allows Jenkins plugins to transmit entire jar files to agents using the Channel#preloadJar API. As of publication of this advisory, this feature is used by the following plugins distributed by the Jenkins project: bouncycastle API, Groovy, Ivy, TeamConcert

In Remoting 3256.v88a_f6e922152 and earlier, except 3206.3208.v409508a_675ff and 3248.3250.v3277a_8e88c9b_, included in Jenkins 2.470 and earlier, LTS 2.452.3 and earlier, calls to Channel#preloadJar result in the retrieval of files from the controller by the agent using ClassLoaderProxy#fetchJar. Additionally, the implementation of ClassLoaderProxy#fetchJar invoked on the controller does not restrict paths that agents could request to read from the controller file system.

This allows agent processes, code running on agents, and attackers with Agent/Connect permission to read arbitrary files from the Jenkins controller file system.

This vulnerability also affects the connection between operations center and managed/client controllers in CloudBees CI. As a result, attackers on any agent connected to any managed/client controller can use the information obtained from files to first execute code on the managed/client controller, and in turn attack operations center in the same way.

This is a critical vulnerability as the information obtained can be used to increase access up to and including remote code execution (RCE). See SECURITY-3314 for known impacts of exploiting arbitrary file read vulnerabilities in Jenkins. Be aware that the limitation of unreadable binary data with some character encodings discussed in SECURITY-3314 does not apply to SECURITY-3430.

Fix description

The Remoting library in Jenkins 2.471, LTS 2.452.4, LTS 2.462.1 now sends jar file contents with Channel#preloadJar requests, the only use case of ClassLoaderProxy#fetchJar in agents, so that agents do not need to request jar file contents from controllers anymore.

To retain compatibility with older versions of Remoting in combination with the plugins listed above, ClassLoaderProxy#fetchJar is retained and otherwise unused, just deprecated. Its implementation in Jenkins 2.471, LTS 2.452.4, LTS 2.462.1 was changed so that it is now limited to retrieving jar files referenced in the core classloader or any plugin classloader.

To protect from exploitation, the presence of the fix is only required to be installed on the controller.

Agents with older versions of remoting can still be used safely.

In case of problems with Channel#preloadJar on older Remoting clients, administrators can disable this protection by setting the Java system property hudson.remoting.Channel.DISABLE_JAR_URL_VALIDATOR on the controller to true. This is only advisable if code running on agents, including build scripts and test code from SCM, is as trusted as Jenkins administrators.

Administrators who want to prohibit jar requests by agents through ClassLoaderProxy#fetchJar entirely can set the Java system property jenkins.security.s2m.JarURLValidatorImpl.REJECT_ALL on the controller to true.

This may break some features of the plugins listed above on agents running older versions of Remoting.

If you use affected functionality of the plugins identified above, agents should be updated to a version of remoting matching the version on the controller.

Workaround

A workaround for this issue is available on GitHub for administrators unable to immediately update. It will disable the affected Channel#preloadJar functionality, and is therefore incompatible with the affected functionality of the plugins mentioned above.

We recommend that you watch at least new releases in this repository to be informed of updates to the workaround.

Please, contact CB support for any help related on this topic

Missing permission check allows accessing other users' "My Views"

SECURITY-3349 / CVE-2024-43045
Severity (CVSS): Medium
Description:

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to access other users' "My Views". Attackers with global View/Configure and View/Delete permissions are also able to change other users' "My Views".

Jenkins 2.471, LTS 2.452.4, LTS 2.462.1 restricts access to a user’s "My Views" to the owning user and administrators.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.462.1.3 or 2.452.4.1

  • CloudBees Cloud Platforms should be upgraded to 2.462.1.3 or 2.452.4.1

  • CloudBees HashiCorp Vault Plugin should be upgraded to 1.455

More Security Advisories

From code to customer.

Continuously advancing your business.

© 2024 CloudBees, Inc., CloudBees® and the Infinity logo® are registered trademarks of CloudBees, Inc. in the United States and may be registered in other countries. Other products or brand names may be trademarks or registered trademarks of CloudBees, Inc. or their respective holders.