Arch Linux Security Advisory ASA-201704-8
========================================
Severity: High
Date    : 2017-04-27
CVE-ID  : CVE-2017-1000354 CVE-2017-1000355 CVE-2017-1000356
Package : jenkins
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-255

Summary
======
The package jenkins before version 2.57-1 is vulnerable to multiple
issues including cross-site request forgery, privilege escalation and
arbitrary code execution.

Resolution
=========
Upgrade to 2.57-1.

# pacman -Syu "jenkins>=2.57-1"

The problems have been fixed upstream in version 2.57.

Workaround
=========
None.

Description
==========
- CVE-2017-1000354 (privilege escalation)

The login command available in the remoting-based CLI stored the
encrypted user name of the successfully authenticated user in a cache
file used to authenticate further commands. Users with sufficient
permission to create secrets in Jenkins, and download their encrypted
values (e.g. with Job/Configure permission), were able to impersonate
any other Jenkins user on the same instance.

This has been fixed by storing the cached authentication as a hash-based MAC with a key specific to the Jenkins instance and the CLI
authentication cache.

Previously cached authentications are invalidated when upgrading
Jenkins to a version containing a fix for this.

- CVE-2017-1000355 (arbitrary code execution)

Jenkins uses the XStream library to serialize and deserialize XML. Its
maintainer recently published a security vulnerability that allows
anyone able to provide XML to Jenkins for processing using XStream to
crash the Java process. In Jenkins this typically applies to users with
permission to create or configure items (jobs), views, or agents.

Jenkins now prohibits the attempted deserialization of void / Void that
results in a crash.

- CVE-2017-1000356 (cross-site request forgery)

Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allowed
malicious users to perform several administrative actions by tricking a
victim into opening a web page. The most notable ones:

SECURITY-412: Restart Jenkins immediately, after all builds are
finished, or after all plugin installations and builds are finished
SECURITY-412: Schedule a downgrade of Jenkins to a previously installed
version if Jenkins previously upgraded itself
SECURITY-413: Install and (optionally) dynamically load any plugin
present on a configured update site
SECURITY-414: Remove any update site from the Jenkins configuration
SECURITY-415: Change a user’s API token
SECURITY-416: Submit system configuration
SECURITY-417: Submit global security configuration
SECURITY-418, SECURITY-420: For Jenkins user database authentication
realm: create an account if signup is enabled; or create an account if
the victim is an administrator, possibly deleting the existing default
admin user in the process
SECURITY-419: Create a new agent, possibly executing arbitrary shell
commands on the master node by choosing the appropriate launch method
SECURITY-420: Update the node monitor data on all agents

Impact
=====
A remote attacker can escalate privileges, execute arbitrary code or
execute cross-site request forgery which allows the attacker to perform
several administrative actions.

References
=========
https://www.jenkins.io/security/advisory/2017-04-26/
https://seclists.org/oss-sec/2017/q2/132
https://www.openwall.com/lists/oss-security/2017/04/03/4
https://security.archlinux.org/CVE-2017-1000354
https://security.archlinux.org/CVE-2017-1000355
https://security.archlinux.org/CVE-2017-1000356