==================================================================== CERT-Renater Note d'Information No. 2018/VULN076 _____________________________________________________________________ DATE : 27/02/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Azure Slave Plugin for Jenkins, Coverity Plugin for Jenkins, CppNCSS Plugin for Jenkins, Environment Injector Plugin for Jenkins, Gerrit Trigger Plugin for Jenkins, Git Plugin for Jenkins, Google Play Android Publisher Plugin for Jenkins, Job and Node ownership Plugin for Jenkins, Mercurial Plugin for Jenkins, promoted builds Plugin for Jenkins, Subversion Plugin for Jenkins, TestLink Plugin for Jenkins. ===================================================================== https://jenkins.io/security/advisory/2018-02-26/ _____________________________________________________________________ Jenkins Security Advisory 2018-02-26 This advisory announces vulnerabilities in the following Jenkins deliverables: Azure Slave Plugin Coverity Plugin CppNCSS Plugin Environment Injector Plugin Gerrit Trigger Plugin Git Plugin Google Play Android Publisher Plugin Job and Node ownership Plugin Mercurial Plugin promoted builds Plugin Subversion Plugin TestLink Plugin Descriptions Environment Injector Plugin before 1.91 stored sensitive build variables SECURITY-248 EnvInject plugin stores environment variables in order to visualize them in the "Injected Environment Variables" view. Sensitive build variables, typically passwords, are exempt from this behavior. Plugin versions older than 1.91 (released on Mar 08, 2015) however did not exempt sensitive variables, and persisted them on disk too. Such persisted sensitive variables may be displayed by any release of this plugin for builds run before it was updated to version 1.91 or newer. While the bug persisting sensitive build variables has been addressed in release 1.91, there is no fix addressing this problem for historical build data. You may be affected by this sensitive data exposure issue if all of the following are true: You define sensitive environment variables globally, per node, or per job. You have ever used Environment Injector Plugin 1.90 or older. You still have build records created while Environment Injector Plugin 1.90 or older was installed and enabled. To prevent the further exposure of sensitive build variables, we recommend that you take the following steps if you are affected by this: Disable the visualization of Injected Environment variables in the global configuration. After this change the data will be accessible only to those ones who have access to raw build.xml files. This is a reversible action that can be applied immediately, and can be reverted once you’ve purged the data on disk (below). Remove the sensitive data from disk by manually removing corresponding entries from injectedEnvVars.txt files, or deleting the injectedEnvVars.txt files in old build directories. Rotate all secrets that have potentially been exposed. Coverity Plugin stored keystore and private key passwords in plain text SECURITY-260 The Coverity Plugin stored passwords unencrypted as part of its configuration. This allowed users with Jenkins master local file system access and Jenkins administrators to retrieve the stored password. The latter could result in exposure of the passwords through browser extensions, cross-site scripting vulnerabilities, and similar situations. The Coverity Plugin now integrates with Credentials Plugin to store passwords, and automatically migrates existing passwords. Improper access control in Gerrit Trigger Plugin allowed unauthorized users to read some server configuration information SECURITY-402 Missing permission checks in Gerrit Trigger Plugin allowed users with Overall/Read permission to access a form that showed the configuration of Gerrit servers in Jenkins. The key file password was only shown in its encrypted form, if configured. Other options were plainly visible. The missing permission check has been added. Improper access control in Gerrit Trigger Plugin allowed unauthorized users to modify global Gerrit Server configurations SECURITY-403 Missing permission checks in Gerrit Trigger Plugin allowed users with Overall/Read permission to perform the following actions: Configure Gerrit servers Connect and disconnect configured Gerrit servers The missing permission checks have been added. Improper access control allowed users without ManageOwnership permission to change job ownership metadata in Job and Node ownership Plugin SECURITY-498 Job and Node ownership Plugin did not prevent the ownership metadata being overwritten when a job or node configuration was updated from the CLI or using the remote API (POST config.xml). This allowed users with Job/Configure permission but without ManageOwnership/Jobs permission to change job ownership metadata, and users with Computer/Configure but without ManageOwnership/Nodes to change node ownership metadata. Changes to job or node ownership metadata via remote API now require ManageOwnership/Jobs or ManageOwnership/Nodes permission, respectively. Changes to job or node ownership via CLI require Overall/Administer permission. Azure Slave Plugin bundled outdated httpclient library with denial of service vulnerability SECURITY-554 / CVE-2015-5262 The Azure Slave Plugin bundles a version of the httpclient library that is vulnerable to CVE-2015-5262. As the plugin has been deprecated in favor of Azure VM Agents Plugin in 2016, there are no plans to release a fix. It has been removed from distribution per request by the former maintainers. Reflected cross-site-scripting vulnerability in report URL of CppNCSS Plugin SECURITY-712 CppNCSS Plugin did not properly escape the report name and graph name, resulting in a reflected cross-site scripting vulnerability. Report name and graph name are now properly escaped. Unprivileged users are able to enumerate credential IDs in Google Play Android Publisher Plugin SECURITY-715 Google Play Android Publisher Plugin provides a list of applicable credential IDs to allow users configuring a job to select the one they’d like to use to authenticate with the Google Play API. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credential IDs. Those could be used as part of an attack to capture the credentials using another vulnerability. Additionally, a related form validation function would allow verification whether a specified credential is valid for use with the Google Play API. Enumeration of credentials IDs and validation of specified credentials in this plugin now requires the permission to have the ExtendedRead permission (when that permission is enabled; otherwise Configure permission) to the job in whose context credentials are being accessed. Disclosure of user names and node names to unauthorized users through post-commit hook URL in Git Plugin SECURITY-723 The class handling unauthenticated Git post-commit hook notification requests at the /git/ path unnecessarily extended another type that handled requests to the …/search/ sub-path. This allowed submission of search queries to Jenkins, and getting a list of search results usually available to anyone with Overall/Read permission. In current Jenkins releases, those are typically the names of known users (both actual users of Jenkins, and known SCM committers) and nodes (master and agents). The class handling requests to /git/ no longer extends the class handling requests to the …/search/ sub-path, therefore any such requests will fail. Disclosure of user names and node names to unauthorized users through post-commit hook URL in Subversion Plugin SECURITY-724 The class handling unauthenticated Subversion post-commit hook notification requests at the /subversion/ path unnecessarily extended another type that handled requests to the …/search/ sub-path. This allowed submission of search queries to Jenkins, and getting a list of search results usually available to anyone with Overall/Read permission. In current Jenkins releases, those are typically the names of known users (both actual users of Jenkins, and known SCM committers) and nodes (master and agents). The class handling requests to /subversion/ no longer extends the class handling requests to the …/search/ sub-path, therefore any such requests will fail. Disclosure of user names and node names to unauthorized users through post-commit hook URL in Mercurial Plugin SECURITY-726 The class handling unauthenticated Mercurial post-commit hook notification requests at the /mercurial/ path unnecessarily extended another type that handled requests to the …/search/ sub-path. This allowed submission of search queries to Jenkins, and getting a list of search results usually available to anyone with Overall/Read permission. In current Jenkins releases, those are typically the names of known users (both actual users of Jenkins, and known SCM committers) and nodes (master and agents). The class handling requests to /mercurial/ no longer extends the class handling requests to the …/search/ sub-path, therefore any such requests will fail. Stored cross-site scripting vulnerability in TestLink Plugin SECURITY-731 Users with Job/Configure permission were able to configure TestLink reports to display arbitrary unescaped HTML e.g. in test case names. The plugin now properly escapes its HTML output. Promoted Builds Plugin allowed unauthorized users to run some promotion processes SECURITY-746 Users with Job/Read access were able to approve and re-execute promotion processes with a manual promotion condition that did not specify a list of users allowed to manually approve the promotion. The plugin now requires users to have the Promotion/Promote permission to be able to approve or re-execute a promotion with manual condition that does not specify a list of users allowed to approve it. The following additional changes to permission enforcement were implemented in this update to make condition enforcement consistent for the three actions Approve, Re-Execute, and Force: Note Some of these changes allow users to act on some promotions they were not able to act on in 2.x releases of this plugin. Users with just the Promotion/Promote permission are no longer allowed to re-execute or force promotions with a manual condition that specifies a list of users, unless the user is on that list. Administrators are now able to approve any promotion with a manual condition. Users specified in a manual promotion condition are now allowed to force this promotion. Severity SECURITY-248: medium SECURITY-260: low SECURITY-402: medium SECURITY-403: medium SECURITY-498: medium SECURITY-554: medium SECURITY-712: medium SECURITY-715: medium SECURITY-723: medium SECURITY-724: medium SECURITY-726: medium SECURITY-731: medium SECURITY-746: medium Affected Versions Azure Slave Plugin up to and including 0.3.4 Coverity Plugin up to and including 1.10.0 CppNCSS Plugin up to and including 1.1 Environment Injector Plugin up to and including 1.90 Gerrit Trigger Plugin up to and including 2.27.4 Git Plugin up to and including 3.7.0 Google Play Android Publisher Plugin up to and including 1.6 Job and Node ownership Plugin up to and including 0.11.0 Mercurial Plugin up to and including 2.2 promoted builds Plugin up to and including 2.31.1 Subversion Plugin up to and including 2.10.2 TestLink Plugin up to and including 3.12 Fix Coverity Plugin should be updated to version 1.11.0 CppNCSS Plugin should be updated to version 1.2 Environment Injector Plugin should be updated to version 1.91 Gerrit Trigger Plugin should be updated to version 2.27.5 Git Plugin should be updated to version 3.8.0 Google Play Android Publisher Plugin should be updated to version 1.7 Job and Node ownership Plugin should be updated to version 0.12.0 Mercurial Plugin should be updated to version 2.3 promoted builds Plugin should be updated to version 3.0 Subversion Plugin should be updated to version 2.10.3 TestLink Plugin should be updated to version 3.13 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. As of publication of this advisory, no fixes are available for the following plugins: Azure Slave Plugin Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: Christopher Orr for SECURITY-715 Daniel Beck, CloudBees, Inc. for SECURITY-402, SECURITY-403 Devin Nusbaum, CloudBees, Inc. for SECURITY-746 Jonathan Claudius of Mozilla for SECURITY-248 Oleg Nenashev, CloudBees, Inc. for SECURITY-498, SECURITY-712, SECURITY-731 Spencer Gietzen of Rhino Security Labs for SECURITY-723 Steve Marlowe of Cisco ASIG for SECURITY-260 ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================