Lucene search

K
archlinuxArchLinuxASA-201704-8
HistoryApr 27, 2017 - 12:00 a.m.

[ASA-201704-8] jenkins: multiple issues

2017-04-2700:00:00
security.archlinux.org
12

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.009 Low

EPSS

Percentile

82.2%

Arch Linux Security Advisory ASA-201704-8

Severity: High
Date : 2017-04-27
CVE-ID : CVE-2017-1000354 CVE-2017-1000355 CVE-2017-1000356
Package : jenkins
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-255

Summary

The package jenkins before version 2.57-1 is vulnerable to multiple
issues including cross-site request forgery, privilege escalation and
arbitrary code execution.

Resolution

Upgrade to 2.57-1.

pacman -Syu “jenkins>=2.57-1”

The problems have been fixed upstream in version 2.57.

Workaround

None.

Description

  • CVE-2017-1000354 (privilege escalation)

The login command available in the remoting-based CLI stored the
encrypted user name of the successfully authenticated user in a cache
file used to authenticate further commands. Users with sufficient
permission to create secrets in Jenkins, and download their encrypted
values (e.g. with Job/Configure permission), were able to impersonate
any other Jenkins user on the same instance.

This has been fixed by storing the cached authentication as a hash-
based MAC with a key specific to the Jenkins instance and the CLI
authentication cache.

Previously cached authentications are invalidated when upgrading
Jenkins to a version containing a fix for this.

  • CVE-2017-1000355 (arbitrary code execution)

Jenkins uses the XStream library to serialize and deserialize XML. Its
maintainer recently published a security vulnerability that allows
anyone able to provide XML to Jenkins for processing using XStream to
crash the Java process. In Jenkins this typically applies to users with
permission to create or configure items (jobs), views, or agents.

Jenkins now prohibits the attempted deserialization of void / Void that
results in a crash.

  • CVE-2017-1000356 (cross-site request forgery)

Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allowed
malicious users to perform several administrative actions by tricking a
victim into opening a web page. The most notable ones:

SECURITY-412: Restart Jenkins immediately, after all builds are
finished, or after all plugin installations and builds are finished
SECURITY-412: Schedule a downgrade of Jenkins to a previously installed
version if Jenkins previously upgraded itself
SECURITY-413: Install and (optionally) dynamically load any plugin
present on a configured update site
SECURITY-414: Remove any update site from the Jenkins configuration
SECURITY-415: Change a user’s API token
SECURITY-416: Submit system configuration
SECURITY-417: Submit global security configuration
SECURITY-418, SECURITY-420: For Jenkins user database authentication
realm: create an account if signup is enabled; or create an account if
the victim is an administrator, possibly deleting the existing default
admin user in the process
SECURITY-419: Create a new agent, possibly executing arbitrary shell
commands on the master node by choosing the appropriate launch method
SECURITY-420: Update the node monitor data on all agents

Impact

A remote attacker can escalate privileges, execute arbitrary code or
execute cross-site request forgery which allows the attacker to perform
several administrative actions.

References

https://jenkins.io/security/advisory/2017-04-26/
http://seclists.org/oss-sec/2017/q2/132
http://www.openwall.com/lists/oss-security/2017/04/03/4
https://security.archlinux.org/CVE-2017-1000354
https://security.archlinux.org/CVE-2017-1000355
https://security.archlinux.org/CVE-2017-1000356

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanyjenkins< 2.57-1UNKNOWN

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.009 Low

EPSS

Percentile

82.2%