Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20141002000436.GA23335@openwall.com>
Date: Thu, 2 Oct 2014 04:04:36 +0400
From: Solar Designer <solar@...nwall.com>
To: Kohsuke Kawaguchi <kk@...suke.org>
Cc: oss-security@...ts.openwall.com
Subject: Re: Security advisory in Jenkins

On Wed, Oct 01, 2014 at 04:25:08PM -0700, Kohsuke Kawaguchi wrote:
> I just wanted to share that the Jenkins project issued a security advisory
> today. These issues are independently found and we've aggregated into a
> single release.
> 
> The relevant CVE IDs, our bug tracking IDs are available here
> <https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01>
> .
> 
> The new versions can be downloaded from here
> <http://mirrors.jenkins-ci.org/>.
> 
> (This is the first time I do this, so my apologies in advance for probably
> failing to follow the expected format.)

Thank you for posting this!

No problem with the format, but the lack of information included in the
posting itself is not great.  We've all seen websites getting
restructured or going away in some years, whereas mailing list archives
tend to remain available in at least some of the places.

So I hope you don't mind me copy-pasting the advisory below, off your
wiki above:

---
Jenkins Security Advisory 2014-10-01

Added by Kohsuke Kawaguchi, last edited by Kohsuke Kawaguchi on Oct 01, 2014

This advisory announces:

 * multiple security vulnerabilities that were found in Jenkins core.
 * two security vulnerabilities found in the monitoring plugin

Description

SECURITY-87/CVE-2014-3661 (anonymous DoS attack through CLI handshake)

This vulnerability allows unauthenticated users with access to Jenkins' HTTP/HTTPS port to mount a DoS attack on Jenkins through thread exhaustion.

SECURITY-110/CVE-2014-3662 (User name discovery)

Anonymous users can test if the user of a specific name exists or not through login attempts.

SECURITY-127&128/CVE-2014-3663 (privilege escalation in job configuration permission)

An user with a permission limited to Job/CONFIGURE can exploit this vulnerability to effectively create a new job, which should have been only possible for users with Job/CREATE permission, or to destroy jobs that he/she does not have access otherwise.

SECURITY-131/CVE-2014-3664 (directory traversal attack)

Users with Overall/READ permission can access arbitrary files in the file system readable by the Jenkins process, resulting in the exposure of sensitive information, such as encryption keys.

SECURITY-138/CVE-2014-3680 (Password exposure in DOM)

If a parameterized job has a default value in a password field, that default value gets exposed to users with Job/READ permission.

SECURITY-143/CVE-2014-3681 (XSS vulnerability in Jenkins core)

Reflected cross-site scripting vulnerability in Jenkins core. An attacker can navigate the user to a carefully crafted URL and have the user execute unintended actions.

SECURITY-150/CVE-2014-3666 (remote code execution from CLI)

Unauthenticated user can execute arbitrary code on Jenkins master by sending carefully crafted packets over the CLI channel.

SECURITY-155/CVE-2014-3667 (exposure of plugin code)

Programs that constitute plugins can be downloaded by anyone with the Overall/READ permission, resulting in the exposure of otherwise sensitive information, such as hard-coded keys in plugins, if any.

SECURITY-159/CVE-2013-2186 (arbitrary file system write)

Security vulnerability in commons fileupload allows unauthenticated attacker to upload arbitrary files to Jenkins master.

SECURITY-149/CVE-2014-1869 (XSS vulnerabilities in ZeroClipboard)

reflective XSS vulnerability in one of the library dependencies of Jenkins.

SECURITY-113/CVE-2014-3678 (XSS vulnerabilities in monitoring plugin)

Monitoring plugin allows an attacker to cause a victim into executing unwanted actions on Jenkins instance.

SECURITY-113/CVE-2014-3679 (hole in access control)

Certain pages in monitoring plugin are visible to anonymous users, allowing them to gain information that they are not supposed to.

Severity

SECURITY-87 is rated medium, as it results in the loss of functionality.

SECURITY-110 is rated medium, as it results in a limited amount of information exposure.

SECURITY-127 and SECURITY-128 are rated high. The former can be used to further escalate privileges, and the latter results in loss of data.

SECURITY-131 and SECURITY-138 is rated critical. This vulnerabilities results in exposure of sensitie information and is easily exploitable.

SECURITY-143 is rated high. It is a passive attack, but it can result in a compromise of Jenkins master or loss of data.

SECURITY-150 is rated critical. This attack can be mounted by any unauthenticated anonymous user with HTTP reachability to Jenkins instance, and results in remote code execution on Jenkins.

SECURITY-155 is rated medium. This only affects users who have installed proprietary plugins on publicly accessible instances, which is relatively uncommon.

SECURITY-159 is rated critical. This attack can be mounted by any unauthenticated anonymous user with HTTP reachability to Jenkins instance.

SECURITY-113 is rated high. It is a passive attack, but it can result in a compromise of Jenkins master or loss of data.

Affected Versions

 * All the Jenkins releases <= 1.582
 * All the LTS releases <= 1.565.2
 * Monitoring plugin <= 1.52.1

Credit

The Jenkins project would like to thank the following people for finding the vulnerabilities:

 * Daniel Beck for finding SECURITY-87, SECURITY-110, SECURITY-127, SECURITY-128
 * Jesse Glick for finding SECUIRTY-131, SECURITY-155
 * Matthias Schmalz for finding SECURITY-138
 * Seth Graham for finding SECURITY-143
 * Stephen Connolly for finding SECURITY-150
 * Manfred Moser for finding SECURITY-159
 * Wilder Rodrigues for finding SECURITY-113
 * Kurt Seifried for finding SECURITY-149

Fix

 * Main line users should upgrade to Jenkins 1.583
 * LTS users should upgrade to 1.565.3
 * User of monitoring plugin should upgrade to 1.53

These versions include fixes to all the vulnerabilities described above. All the prior versions are affected by these vulnerabilities.

Other Resources

Corresponding security advisory on CloudBees regarding DEV@...ud and Jenkins Enterprise by CloudBees
---

The link from "Other Resources" is:

http://www.cloudbees.com/jenkins-security-advisory-2014-10-01

and that other advisory additionally lists affected and fixed versions
of Jenkins Enterprise by CloudBees:

---
Affected Versions:
 * All the Jenkins releases <= 1.582
 * All the LTS releases <= 1.565.2
 * Monitoring plugin <= 1.52.1
 * Jenkins Enterprise by CloudBees 1.565.1.1 up to 1.565.2.x, 1.554.1.1 up to 1.554.9.x, and 1.532.1.1 up to 1.532.9.x
---

---
Fix:
 * Main line users should upgrade to Jenkins 1.583
 * LTS users should upgrade to 1.565.3
 * Jenkins Enterprise by CloudBees users should upgrade to either 1.565.3.1, 1.554.10.1, or 1.532.10.1 (depending on release lines)
 * Jenkins Operations Center by CloudBees users should upgrade to 1.554.10.1
 * DEV@...ud users need not take any actions. Your instances are being patched and upgraded.
---

Now there's in fact a slight problem with the format: overly-long lines.
This is what I got when copy-pasting from the wiki.  But most important
is that the actual content is now in here.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.