This advisory announces multiple vulnerabilities in Jenkins (weekly and LTS), and these plugins:
SECURITY-478 / CVE-2017-1000393
Users with permission to create or configure agents in Jenkins could configure a launch method called Launch agent via execution of command on master. This allowed them to run arbitrary shell commands on the Jenkins controller whenever the agent was supposed to be launched.
Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.
|
A known limitation of this fix is that users without the Run Scripts permission are no longer able to configure agents with this launch method at all, even if the launch method remains unchanged. A future release of Jenkins will move this launch method into a separate plugin. That plugin will depend on Script Security Plugin to secure this field and restore the ability of users without the Run Scripts permission to configure an agent with this launch method. |
SECURITY-490 / CVE-2017-1000394
Jenkins bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092.
The fix for that vulnerability has been backported to the version of the library bundled with Jenkins.
SECURITY-514 / CVE-2017-1000395
Information about Jenkins user accounts is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API.
This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed.
The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator or the user themselves.
SECURITY-555 / CVE-2017-1000396
Jenkins bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks.
This library is widely used as a transitive dependency in Jenkins plugins.
The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.
SECURITY-557 / CVE-2017-1000397
Maven Plugin bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks.
Maven Plugin 3.0 no longer has a dependency on commons-httpclient.
SECURITY-597 / CVE-2017-1000402
Swarm Plugin Client bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks.
The fix for CVE-2012-6153 was backported to the version of commons-httpclient bundled in Swarm Plugin Client.
IMPORTANT: Please note that Swarm Plugin Client needs to be updated independently from the plugin. Updating just the plugin will not resolve the security vulnerability.
SECURITY-611 / CVE-2017-1000398
The remote API at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent.
This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Job/Read permission.
This has been fixed, and the API now only shows information about accessible tasks.
SECURITY-618 / CVE-2017-1000399
The remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start).
This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Job/Read permission.
This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.
SECURITY-617 / CVE-2017-1000400
The remote API at /job/(job-name)/api contained information about upstream and downstream projects.
This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Job/Read permission.
This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.
SECURITY-616 / CVE-2017-1000401
The Jenkins default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys).
The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files.
Form validation for <f:password/> is now always sent via POST, with the password in the request body, which is typically not logged.
SECURITY-623 / CVE-2017-1000403
This plugin allows users with Job/Configure permission to run arbitrary Groovy code inside the Jenkins JVM, effectively elevating privileges to Overall/Run Scripts.
As of publication of this advisory, there is no fix.
Jenkins weekly up to and including 2.83
Jenkins LTS up to and including 2.73.1
Maven Plugin up to and including 2.17
All versions of Speaks! Plugin
Swarm Plugin (Client) up to and including 3.4
Jenkins weekly should be updated to 2.84
Jenkins LTS should be updated to 2.73.2
Maven Plugin should be updated to 3.0
Swarm Plugin (Client) should be updated to 3.5
These versions include fixes to the vulnerabilities described above. All prior versions are affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, there is no fix available for Speaks! Plugin. Its distribution has been suspended.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:
Ananthapadmanabhan S R for SECURITY-514
Ben Walding, CloudBees, Inc. for SECURITY-616
Daniel Beck, CloudBees, Inc. for SECURITY-478, SECURITY-611, SECURITY-623
Jesse Glick, CloudBees, Inc. for SECURITY-617, SECURITY-618