==================================================================== CERT-Renater Note d'Information No. 2019/VULN184 _____________________________________________________________________ DATE : 12/06/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running ElectricFlow Plugin for Jenkins versions prior to 1.1.7, JX Resources Plugin for Jenkins versions prior to 1.0.37, Token Macro Plugin for Jenkins versions prior to 2.8. ===================================================================== https://jenkins.io/security/advisory/2019-06-11/ _____________________________________________________________________ Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software. The following releases contain fixes for security vulnerabilities: * ElectricFlow Plugin 1.1.7 * JX Resources Plugin 1.0.37 * Token Macro Plugin 2.8 Summaries of the vulnerabilities are below. More details, severity, and attribution can be found here: https://jenkins.io/security/advisory/2019-06-11/ We provide advance notification for security updates on this mailing list: https://groups.google.com/d/forum/jenkinsci-advisories If you discover security vulnerabilities in Jenkins, please report them as described here: https://jenkins.io/security/#reporting-vulnerabilities --- SECURITY-1399 / CVE-2019-10337 Token Macro Plugin did not configure its XML parser in a way that would prevent XML External Entity (XXE) processing. This allowed attackers able to control the contents of files processed with the ${XML} macro to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks. Token Macro Plugin no longer processes XML External Entities in XML documents. SECURITY-1379 / CVE-2019-10338 (CSRF), CVE-2019-10339 (improper authorization) JX Resources Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Kubernetes server and obtain information about an attacker-specified namespace. Doing so might also leak service account credentials used for the connection. Additionally, it allowed attackers to obtain the value of any attacker-specified environment variable for the Jenkins master process. Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability. This form validation method now requires POST requests and Overall/Administer permissions. SECURITY-1410 (1) / CVE-2019-10331 (CSRF), CVE-2019-10332 (improper authorization) A missing permission check in a form validation method in ElectricFlow Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified username and password. Additionally, the form validation method did not require POST requests, resulting in a CSRF vulnerability. This form validation method now requires POST requests and Overall/Administer permissions. SECURITY-1410 (2) / CVE-2019-10333 Various form validation and form autocompletion methods in ElectricFlow Plugin lacked permission checks. This allowed attackers with Overall/Read access to obtain information about the configuration of ElectricFlow Plugin, as well as the configuration and data of connected ElectricFlow servers. These form validation and autocompletion methods now require Overall/Administer or Job/Configure permission, as appropriate for the given method. SECURITY-1411 / CVE-2019-10334 ElectricFlow Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins master JVM during the deployment/publication of an application. ElectricFlow Plugin no longer does that. Instead, the existing opt-in option to ignore SSL/TLS errors is used during deployment for the specific connection. SECURITY-1412 / CVE-2019-10335 The plugin adds metadata displayed on build pages during its operations. Any user content was not escaped, resulting in a cross-site scripting vulnerability allowing users with Job/Configure permission, or attackers controlling API responses received from ElectricFlow to render arbitrary HTML and JavaScript on Jenkins build pages. Build metadata is now filtered through a HTML formatter that only allows showing basic HTML, neutralizing any unsafe data. Additionally, all builds executed after the security update is applied will now properly escape content received from ElectricFlow. SECURITY-1420 / CVE-2019-10336 The configuration forms of various post-build steps contributed by ElectricFlow Plugin were vulnerable to cross-site scripting. This allowed attackers able to control the output of connected ElectricFlow servers' APIs to inject arbitrary HTML and JavaScript into the configuration form. ElectricFlow Plugin no longer interprets HTML/JavaScript in responses from ElectricFlow server APIs on job configuration forms. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================