Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <0A92B24E-DD0F-4B77-8CF5-C6C997D305E5@beckweb.net>
Date: Mon, 26 Mar 2018 13:22:37 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software. The following
releases contain fixes for security vulnerabilities:

* Ansible Plugin 1.0
* Cucumber Living Documentation Plugin 1.1.0
* GitHub Pull Request Builder Plugin 1.40.0
* Mailer Plugin 1.21
* Reverse Proxy Auth Plugin 1.6.0
* vSphere Plugin 2.17

Additionally, these plugin were removed from distribution as they are
unmaintained, and there are no plans to fix their security issues:

* Copy To Slave Plugin
* Liquibase Runner Plugin
* Perforce Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://jenkins.io/security/advisory/2018-03-26/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-261
GitHub Pull Request Builder Plugin stored serialized objects in `build.xml` 
files that contained the credential used to poll Jenkins. This can be used 
by users with master file system access to obtain GitHub credentials.

Since 1.40.0, the plugin no longer stores serialized objects containing the 
credential on disk.

Builds started before the plugin was updated to 1.40.0 will retain the 
encoded credentials on disk. We strongly recommend revoking old GitHub 
credentials used in Jenkins.


SECURITY-262
GitHub Pull Request Builder Plugin stored the webhook secret shared between 
Jenkins and GitHub in plain text.

This allowed users with Jenkins master local file system access and Jenkins 
administrators to retrieve the stored password. The latter could result in 
exposure of the passwords through browser extensions, cross-site scripting 
vulnerabilities, and similar situations.

GitHub Pull Request Builder Plugin 1.32.1 and newer stores the webhook 
secret encrypted on disk.


SECURITY-308
Cucumber Living Documentation Plugin disabled the 'Content-Security-Policy' 
HTTP header XSS protection for files served by Jenkins until Jenkins was 
restarted whenever a Cucumber peport was viewed by any user.

This has been addressed in version 1.1.0 of the plugin, and it will now 
request that users manually change the Content-Security-Policy option in 
Jenkins.


SECURITY-373
Perforce Plugin encrypts its credentials using DES and a public key stored 
in its public source code, so it only serves as basic obfuscation. This 
allowed users with Jenkins master local file system access and Jenkins 
administrators to retrieve the stored password. The latter could result in 
exposure of the passwords through browser extensions, cross-site scripting 
vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix. The plugin has been 
removed from publication at the request of its former maintainers.


SECURITY-504
vSphere Plugin disabled SSL/TLS certificate validation unconditionally,
allowing potential man-in-the-middle attacks.

vSphere Plugin 2.17 now has SSL/TLS certificate validation enabled by
default.


SECURITY-519
Liquibase Runner Plugin allows users with Job/Configure permission to 
configure its build step in a way that loads arbitrary class files into the 
Jenkins master JVM, resulting in arbitrary code execution.

As of publication of this advisory, there is no fix.


SECURITY-536
Perforce Plugin implements its own credential encryption using DES and an 
encryption key stored in its public source code. This is not considered a 
secret by Jenkins, resulting in potential exposure of Perforce credentials 
stored in job configurations to users with Extended Read permission.
While these are encrypted, this can only be considered basic obfuscation 
due to the hard-coded public encryption key used.

As of publication of this advisory, there is no fix.


SECURITY-545
Copy To Slave Plugin allows users with Job/Configure permissions to 
configure it in such a way that it allows obtaining arbitrary files 
accessible to the Jenkins master process from the Jenkins master file
system.

As of publication of this advisory, there is no fix.


SECURITY-630
Ansible Plugin disabled host key verification by default, having it only as 
an opt-in option.

Ansible Plugin 1.0 now enables host key verification by default, adding 
options allowing users to opt out.

Existing configurations that previously did not opt into host key 
verification will have host key verification enabled after update, possibly 
resulting in failures.


SECURITY-736
Reverse Proxy Auth Plugin persisted a cache of granted authorities (group 
memberships) on disk.

This could allow users with local Jenkins master file system access to 
obtain group membership information of Jenkins users.


SECURITY-745
vSphere Plugin did not perform permission checks on methods implementing 
form validation. This allowed users with Overall/Read access to Jenkins to 
perform various actions such as:

* Connect to an attacker-specified vSphere server using attacker-specified 
  credentials IDs obtained through another method, capturing credentials 
  stored in Jenkins
* Connect to configured vSphere servers and looking up information, 
  potentially resulting in denial of service

Additionally, these form validation methods did not require POST requests, 
resulting in a CSRF vulnerability.

These form validation methods now require POST requests and appropriate 
user permissions.


SECURITY-774 / CVE-2018-8718
A missing permission check in Mailer Plugin allowed users with Overall/Read 
access to Jenkins to have it connect to a user-specified mail server with 
user-specified credentials to send a test email to a user-specified email 
address. The email subject and body could not be changed. This could result 
in DoS if, for example, specifying a valid mail server but invalid 
credentials.

As the same URL did not require POST to be used, it also was vulnerable to 
cross-site request forgery.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.