==================================================================== CERT-Renater Note d'Information No. 2019/VULN222 _____________________________________________________________________ DATE : 18/07/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Jenkins (core) versions prior to weekly 2.186, LTS 2.176.2. ===================================================================== https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626 _____________________________________________________________________ Jenkins Security Advisory 2019-07-17 This advisory announces vulnerabilities in the following Jenkins deliverables: Jenkins (core) Descriptions Arbitrary file write vulnerability using file parameter definitions SECURITY-1424 / CVE-2019-10352 Users with Job/Configure permission could specify a relative path escaping the base directory in the file name portion of a file parameter definition. This path would be used to store the uploaded file on the Jenkins master, resulting in an arbitrary file write vulnerability. File parameters that escape the base directory are no longer accepted and the build will fail. This vulnerability is the result of an incomplete fix for SECURITY-1074. CSRF protection tokens did not expire SECURITY-626 / CVE-2019-10353 By default, CSRF tokens in Jenkins only checked user authentication and IP address. This allowed attackers able to obtain a CSRF token for another user to implement CSRF attacks as long as the victim’s IP address remained unchanged. CSRF tokens will now also check the web session ID to confirm they were created in the same session. Once that’s invalidated or expired, corresponding CSRF tokens will become invalid as well. Note This fix may impact scripts that obtain a crumb from the crumb issuer API. They may need to be updated to retain the session ID for subsequent requests. For further information, see the LTS upgrade guide. We also publish the Strict Crumb Issuer Plugin which contains additional protection mechanisms that give administrators more fine-grained control over the validity of CSRF tokens. We plan to improve the built-in default crumb issuer based on user feedback of this implementation. Unauthorized view fragment access SECURITY-534 / CVE-2019-10354 Jenkins uses the Stapler web framework to render its UI views. These views are frequently comprised of several view fragments, enabling plugins to extend existing views with more content. In some cases attackers could directly access a view fragment containing sensitive information, bypassing any permission checks in the corresponding view. The Stapler web framework has been extended with a Service Provider Interface (SPI) that allows preventing views from being rendered. The implementation of that SPI in Jenkins now prevents view fragments from being rendered. Further details are available in the developer documentation. Most views in Jenkins and Jenkins plugins should be compatible with this change. We track known affected plugins and their status in the Jenkins wiki. In rare cases, it may be desirable to disable this fix. To do so, set the Java system property jenkins.security.stapler.StaplerDispatchValidator.disabled to true. Learn more about system properties in Jenkins. Severity SECURITY-534: Medium SECURITY-626: High SECURITY-1424: Medium Affected Versions Jenkins weekly up to and including 2.185 Jenkins LTS up to and including 2.176.1 Fix Jenkins weekly should be updated to version 2.186 Jenkins LTS should be updated to version 2.176.2 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: Conor O'Neill of Tenable for SECURITY-1424 Jesse Glick, CloudBees, Inc. for SECURITY-534 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================