==================================================================== CERT-Renater Note d'Information No. 2018/VULN255 _____________________________________________________________________ DATE : 16/08/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Jenkins weekly versions prior to 2.133, Jenkins LTS versions prior to 2.121.2. ===================================================================== https://jenkins.io/security/advisory/2018-08-15 / _____________________________________________________________________ Jenkins Security Advisory 2018-08-15 This advisory announces vulnerabilities in the following Jenkins deliverables: Jenkins (core) Descriptions Jenkins allowed deserialization of URL objects with host components SECURITY-637 / CVE pending Jenkins allowed deserialization of URL objects via Remoting (agent communication) and XStream. This could in rare cases be used by attackers to have Jenkins look up specified hosts' DNS records. Jenkins now injects a URLStreamHandler when deserializing URLs that overrides the affected URL methods. This can be disabled if needed by setting the system property hudson.remoting.URLDeserializationHelper.avoidUrlWrapping to true. Ephemeral user record was created on some invalid authentication attempts SECURITY-672 / CVE pending When attempting to authenticate using API token, an ephemeral user record was created to validate the token in case an external security realm was used, and the user record in Jenkins not previously saved, as (legacy) API tokens could exist without a persisted user record. This behavior could be abused to create a large number of ephemeral user records in memory. The API token validation on authentication has been improved to no longer create ephemeral user records. Cron expression form validation could enter infinite loop, potentially resulting in denial of service SECURITY-790 / CVE pending The form validation for cron expressions (e.g. "Poll SCM", "Build periodically") could enter infinite loops when cron expressions only matching certain rare dates were entered, blocking request handling threads indefinitely. "Remember me" cookie was evaluated even if that feature is disabled SECURITY-996 / CVE pending The "Remember me" feature can be disabled in the Jenkins security configuration. This did not disable the processing of previously set "Remember me" cookies, so they still allowed users to be logged in. "Remember me" cookies are no longer evaluated when the corresponding feature is disabled. Unauthorized users could access agent logs SECURITY-1071 / CVE pending Users with Overall/Read permission were able to access the URL serving agent logs on the UI due to a lack of permission checks. Access to the affected URL is now limited to users with the correct Agent/Connect permission. Unauthorized users could cancel scheduled restarts initiated from the update center SECURITY-1076 / CVE pending Users with Overall/Read permission were able to access the URL used to cancel scheduled restart jobs initiated via the update center ("Restart Jenkins when installation is complete and no jobs are running") due to a lack of permission checks. Access to the affected URL is now limited to users with Overall/Administer permission. Severity SECURITY-637: low SECURITY-672: medium SECURITY-790: medium SECURITY-996: low SECURITY-1071: medium SECURITY-1076: low Affected Versions Jenkins weekly up to and including 2.137 Jenkins LTS up to and including 2.121.2 Fix Jenkins weekly should be updated to version 2.138 Jenkins LTS should be updated to version 2.121.3 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: Jesse Glick, CloudBees, Inc. for SECURITY-637 Thomas de Grenier de Latour for SECURITY-790 Wadeck Follonier, CloudBees, Inc. for SECURITY-1071, SECURITY-1076 Wadeck Follonier, CloudBees, Inc., and, independently, Nimrod Stoler of CyberArk Labs for SECURITY-672 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + ========================================================= -- Francois Ducrot GIP RENATER - Direction Technique SSI/CERT Tél : +33 1 53 94 20 84 http://www.renater.fr