Jenkins Security Advisory 2015-11-11

This advisory announces multiple vulnerabilities in Jenkins.

Description

Project name disclosure via fingerprints

SECURITY-153 / CVE-2015-5317

The Jenkins UI allowed users to see the names of jobs and builds otherwise inaccessible to them on the "Fingerprints" pages if those shared file fingerprints with fingerprinted files in accessible jobs.

Public value used for CSRF protection salt

SECURITY-169 / CVE-2015-5318

The salt used to generate the CSRF protection tokens was a publicly accessible value, allowing malicious users to circumvent CSRF protection by generating the correct token.

XXE injection into job configurations via CLI

SECURITY-173 / CVE-2015-5319

When creating a job using the create-job CLI command, external entities are not discarded (nor processed). If these job configurations are processed by another user with an XML-aware tool (e.g. using get-job/update-job), information from that user’s computer may be disclosed to Jenkins and the attacker.

Secret key not verified when connecting an agent

SECURITY-184 / CVE-2015-5320

JNLP agent connections did not verify that the correct secret was supplied, which allowed malicious users to connect their own machines as agents to Jenkins knowing only the name of the agent. This enables attackers to take over Jenkins (unless the agent-to-controller security subsystem is enabled) or gain access to private data like keys and source code.

Queue API did show items not visible to the current user

SECURITY-186 / CVE-2015-5324

The /queue/api URL could return information about items not accessible to the current user (such as parameter names and values, build names, project descriptions, …).

Information disclosure via sidepanel

SECURITY-192 / CVE-2015-5321

The CLI command overview and help pages in Jenkins were accessible without Overall/Read permission, resulting in disclosure of the names of configured agents (and contents of other sidepanel widgets, if present) to unauthorized users.

Local file inclusion vulnerability

SECURITY-195 / CVE-2015-5322

Access to the /jnlpJars/ URL was not limited to the specific JAR files users needed to access, allowing browsing directories and downloading other files in the Jenkins servlet resources, such as web.xml.

API tokens of other users available to admins

SECURITY-200 / CVE-2015-5323

API tokens of other users were exposed to admins by default. On instances that don’t implicitly grant RunScripts permission to admins, this allowed admins to run scripts with another user’s credentials.

JNLP agents not subject to agent-to-controller access control

SECURITY-206 / CVE-2015-5325

Agents connecting via JNLP were not subject to the optional agent-to-controller access control documented at security-144 (CVE-2014-3665).

Stored XSS vulnerability in agent offline status message

SECURITY-214 / CVE-2015-5326

Users with the permission to take agent nodes offline can enter arbitrary HTML that gets shown unescaped to users visiting the agent overview page.

Remote code execution vulnerability due to unsafe deserialization in Jenkins remoting

SECURITY-218 / CVE-2015-8103

Unsafe deserialization allows unauthenticated remote attackers to run arbitrary code on the Jenkins controller.

Severity

  • SECURITY-153 is considered low as users have no control over which information they see, and the kind of information revealed is very limited.

  • SECURITY-169 is considered critical as it allows attackers to circumvent CSRF protection.

  • SECURITY-173 is considered low due to the high degree of specific user interaction required, and the limited information that can be gained this way.

  • SECURITY-184 is considered critical: It enables several different attacks, compromising integrity, stability and confidentiality.

  • SECURITY-186 is considered medium: Low privileged users can gain some limited information about items they should not have access to.

  • SECURITY-192 is considered medium: While the amount of information disclosed is very limited, it is trivial to exploit.

  • SECURITY-195 is considered low: The information gained is very limited, and it requires a specific setup to gain any non-public information this way.

  • SECURITY-200 is considered medium: In very specific circumstances, it allows admins to gain permissions they would not otherwise have.

  • SECURITY-206 is considered high as it allows to circumvent the major protection against less trusted node admins.

  • SECURITY-214 is considered medium as allows admins and users with significant privileges to circumvent XSS protection.

  • SECURITY-218 is considered critical as it allows unauthenticated remote attackers to run arbitrary code on Jenkins.

Affected versions

  • All Jenkins main line releases up to and including 1.637

  • All Jenkins LTS releases up to and including 1.625.1

Fix

  • Jenkins main line users should update to 1.638

  • Jenkins LTS users should update to 1.625.2

These versions include fixes to all the vulnerabilities described above. All prior versions are affected by these vulnerabilities.

Credit

The Jenkins project would like to thank the following people for discovering and reporting these vulnerabilities:

  • Akshay Dayal (from Google) for SECURITY-184

  • Ari Rubinstein for SECURITY-195

  • Ben Walding, CloudBees, Inc. for SECURITY-192

  • Daniel Beck, CloudBees, Inc. for SECURITY-186

  • James Nord, CloudBees, Inc. for SECURITY-169 and SECURITY-173

  • Jesse Glick, CloudBees, Inc. for SECURITY-206

  • Nicolas De Loof, CloudBees, Inc. for SECURITY-153

  • Oleg Nenashev, CloudBees, Inc. for SECURITY-200

  • Plastunov Andrey, Digital Security (dsec.ru) for SECURITY-214