Arch Linux Security Advisory ASA-202111-1
=========================================

Severity: Critical
Date    : 2021-11-05
CVE-ID  : CVE-2021-21685 CVE-2021-21686 CVE-2021-21687 CVE-2021-21688
          CVE-2021-21689 CVE-2021-21690 CVE-2021-21691 CVE-2021-21692
          CVE-2021-21693 CVE-2021-21694 CVE-2021-21695 CVE-2021-21696
          CVE-2021-21697
Package : jenkins
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2526

Summary
=======

The package jenkins before version 2.319-1 is vulnerable to multiple
issues including arbitrary filesystem access and sandbox escape.

Resolution
==========

Upgrade to 2.319-1.

# pacman -Syu "jenkins>=2.319-1"

The problems have been fixed upstream in version 2.319.

Workaround
==========

If you are unable to immediately upgrade to Jenkins 2.319 right away,
you can install the Remoting Security Workaround Plugin. It will
prevent all agent-to-controller file access using FilePath APIs.
Because it is more restrictive than Jenkins 2.319, more plugins are
incompatible with it. Make sure to read the plugin documentation before
installing it.

Description
===========

- CVE-2021-21685 (arbitrary filesystem access)

A security issue has been found in Jenkins before version 2.319.
FilePath#mkdirs does not check permission to create parent directories.
This allows agent processes to read and write arbitrary files on the
Jenkins controller file system, and obtain some information about
Jenkins controller file systems.

- CVE-2021-21686 (arbitrary filesystem access)

A security issue has been found in Jenkins before version 2.319. File
path filters do not canonicalize paths, allowing operations to follow
symbolic links to outside allowed directories. This allows agent
processes to read and write arbitrary files on the Jenkins controller
file system, and obtain some information about Jenkins controller file
systems.

- CVE-2021-21687 (arbitrary filesystem access)

A security issue has been found in Jenkins before version 2.319.
FilePath#untar does not check permission to create symbolic links when
unarchiving a symbolic link. This allows agent processes to read and
write arbitrary files on the Jenkins controller file system, and obtain
some information about Jenkins controller file systems.

- CVE-2021-21688 (arbitrary filesystem access)

A security issue has been found in Jenkins before version 2.319.
FilePath#reading(FileVisitor) does not reject any operations, allowing
users to have unrestricted read access using certain operations
(creating archives, #copyRecursiveTo). This allows agent processes to
read and write arbitrary files on the Jenkins controller file system,
and obtain some information about Jenkins controller file systems.

- CVE-2021-21689 (arbitrary filesystem access)

A security issue has been found in Jenkins before version 2.319.
FilePath#unzip and FilePath#untar were not subject to any access
control. This allows agent processes to read and write arbitrary files
on the Jenkins controller file system, and obtain some information
about Jenkins controller file systems.

- CVE-2021-21690 (arbitrary filesystem access)

A security issue has been found in Jenkins before version 2.319. Agent
processes are able to completely bypass file path filtering by wrapping
the file operation in an agent file path. This allows agent processes
to read and write arbitrary files on the Jenkins controller file
system, and obtain some information about Jenkins controller file
systems.

- CVE-2021-21691 (arbitrary filesystem access)

A security issue has been found in Jenkins before version 2.319.
Creating symbolic links is possible without the symlink permission.
This allows agent processes to read and write arbitrary files on the
Jenkins controller file system, and obtain some information about
Jenkins controller file systems.

- CVE-2021-21692 (arbitrary filesystem access)

A security issue has been found in Jenkins before version 2.319. The
operations FilePath#renameTo and FilePath#moveAllChildrenTo only check
read permission on the source path. This allows agent processes to read
and write arbitrary files on the Jenkins controller file system, and
obtain some information about Jenkins controller file systems.

- CVE-2021-21693 (arbitrary filesystem access)

A security issue has been found in Jenkins before version 2.319. When
creating temporary files, permission to create files is only checked
after they’ve been created. This allows agent processes to read and
write arbitrary files on the Jenkins controller file system, and obtain
some information about Jenkins controller file systems.

- CVE-2021-21694 (arbitrary filesystem access)

A security issue has been found in Jenkins before version 2.319.
FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize,
FilePath#isDescendant, and FilePath#get*DiskSpace do not check any
permissions. This allows agent processes to read and write arbitrary
files on the Jenkins controller file system, and obtain some
information about Jenkins controller file systems.

- CVE-2021-21695 (arbitrary filesystem access)

A security issue has been found in Jenkins before version 2.319.
FilePath#listFiles lists files outside directories with agent read
access when following symbolic links. This allows agent processes to
read and write arbitrary files on the Jenkins controller file system,
and obtain some information about Jenkins controller file systems.

- CVE-2021-21696 (sandbox escape)

Jenkins before version 2.319 does not limit agent read/write access to
the libs/ directory inside build directories when using the FilePath
APIs. This directory is used by the "Pipeline: Shared Groovy Libraries"
Plugin to store copies of shared libraries.

This allows attackers in control of agent processes to replace the code
of a trusted library with a modified variant, resulting in unsandboxed
code execution in the Jenkins controller process.

Jenkins 2.319 prohibits agent read/write access to the libs/ directory
inside build directories.

- CVE-2021-21697 (arbitrary filesystem access)

Agents are allowed some limited access to files on the Jenkins
controller file system. The directories agents are allowed to access in
Jenkins before 2.319 include the directories storing build-related
information, intended to allow agents to store build-related metadata
during build execution. As a consequence, this allows any agent to read
and write the contents of any build directory stored in Jenkins with
very few restrictions (build.xml and some Pipeline-related metadata).

Jenkins 2.319 prevents agents from accessing contents of build
directories unless it’s for builds currently running on the agent
attempting to access the directory.

Impact
======

Agent processes could read and write arbitrary files on the Jenkins
controller file system, and obtain some information about Jenkins
controller file systems.

References
==========

https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455
https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2423
https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428
https://security.archlinux.org/CVE-2021-21685
https://security.archlinux.org/CVE-2021-21686
https://security.archlinux.org/CVE-2021-21687
https://security.archlinux.org/CVE-2021-21688
https://security.archlinux.org/CVE-2021-21689
https://security.archlinux.org/CVE-2021-21690
https://security.archlinux.org/CVE-2021-21691
https://security.archlinux.org/CVE-2021-21692
https://security.archlinux.org/CVE-2021-21693
https://security.archlinux.org/CVE-2021-21694
https://security.archlinux.org/CVE-2021-21695
https://security.archlinux.org/CVE-2021-21696
https://security.archlinux.org/CVE-2021-21697