ArchLinux: 201704-8: jenkins: multiple issues
Summary
- CVE-2017-1000354 (privilege escalation)
The login command available in the remoting-based CLI stored the
encrypted user name of the successfully authenticated user in a cache
file used to authenticate further commands. Users with sufficient
permission to create secrets in Jenkins, and download their encrypted
values (e.g. with Job/Configure permission), were able to impersonate
any other Jenkins user on the same instance.
This has been fixed by storing the cached authentication as a hash-based MAC with a key specific to the Jenkins instance and the CLI
authentication cache.
Previously cached authentications are invalidated when upgrading
Jenkins to a version containing a fix for this.
- CVE-2017-1000355 (arbitrary code execution)
Jenkins uses the XStream library to serialize and deserialize XML. Its
maintainer recently published a security vulnerability that allows
anyone able to provide XML to Jenkins for processing using XStream to
crash the Java process. In Jenkins this typically applies to users with
permission to create or configure items (jobs), views, or agents.
Jenkins now prohibits the attempted deserialization of void / Void that
results in a crash.
- CVE-2017-1000356 (cross-site request forgery)
Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allowed
malicious users to perform several administrative actions by tricking a
victim into opening a web page. The most notable ones:
SECURITY-412: Restart Jenkins immediately, after all builds are
finished, or after all plugin installations and builds are finished
SECURITY-412: Schedule a downgrade of Jenkins to a previously installed
version if Jenkins previously upgraded itself
SECURITY-413: Install and (optionally) dynamically load any plugin
present on a configured update site
SECURITY-414: Remove any update site from the Jenkins configuration
SECURITY-415: Change a user’s API token
SECURITY-416: Submit system configuration
SECURITY-417: Submit global security configuration
SECURITY-418, SECURITY-420: For Jenkins user database authentication
realm: create an account if signup is enabled; or create an account if
the victim is an administrator, possibly deleting the existing default
admin user in the process
SECURITY-419: Create a new agent, possibly executing arbitrary shell
commands on the master node by choosing the appropriate launch method
SECURITY-420: Update the node monitor data on all agents
Resolution
Upgrade to 2.57-1.
# pacman -Syu "jenkins>=2.57-1"
The problems have been fixed upstream in version 2.57.
References
https://www.jenkins.io/security/advisory/2017-04-26/ https://seclists.org/oss-sec/2017/q2/132 https://www.openwall.com/lists/oss-security/2017/04/03/4 https://security.archlinux.org/CVE-2017-1000354 https://security.archlinux.org/CVE-2017-1000355 https://security.archlinux.org/CVE-2017-1000356
Workaround
None.