Jenkins Security Advisory 2018-08-15

This advisory announces vulnerabilities in the following Jenkins deliverables:

  • Jenkins (core)

Descriptions

Jenkins allowed deserialization of URL objects with host components

SECURITY-637 / CVE-2018-1999042

Jenkins allowed deserialization of URL objects via Remoting (agent communication) and XStream.

This could in rare cases be used by attackers to have Jenkins look up specified hosts' DNS records.

Jenkins now injects a URLStreamHandler when deserializing URLs that overrides the affected URL methods.

This can be disabled if needed by setting the system property hudson.remoting.URLDeserializationHelper.avoidUrlWrapping to true.

Ephemeral user record was created on some invalid authentication attempts

SECURITY-672 / CVE-2018-1999043

When attempting to authenticate using API token, an ephemeral user record was created to validate the token in case an external security realm was used, and the user record in Jenkins not previously saved, as (legacy) API tokens could exist without a persisted user record.

This behavior could be abused to create a large number of ephemeral user records in memory.

The API token validation on authentication has been improved to no longer create ephemeral user records.

Cron expression form validation could enter infinite loop, potentially resulting in denial of service

SECURITY-790 / CVE-2018-1999044

The form validation for cron expressions (e.g. "Poll SCM", "Build periodically") could enter infinite loops when cron expressions only matching certain rare dates were entered, blocking request handling threads indefinitely.

"Remember me" cookie was evaluated even if that feature is disabled

SECURITY-996 / CVE-2018-1999045

The "Remember me" feature can be disabled in the Jenkins security configuration.

This did not disable the processing of previously set "Remember me" cookies, so they still allowed users to be logged in.

"Remember me" cookies are no longer evaluated when the corresponding feature is disabled.

Unauthorized users could access agent logs

SECURITY-1071 / CVE-2018-1999046

Users with Overall/Read permission were able to access the URL serving agent logs on the UI due to a lack of permission checks.

Access to the affected URL is now limited to users with the correct Agent/Connect permission.

Unauthorized users could cancel scheduled restarts initiated from the update center

SECURITY-1076 / CVE-2018-1999047

Users with Overall/Read permission were able to access the URL used to cancel scheduled restart jobs initiated via the update center ("Restart Jenkins when installation is complete and no jobs are running") due to a lack of permission checks.

Access to the affected URL is now limited to users with Overall/Administer permission.

Severity

Affected Versions

  • Jenkins weekly up to and including 2.137
  • Jenkins LTS up to and including 2.121.2

Fix

  • Jenkins weekly should be updated to version 2.138
  • Jenkins LTS should be updated to version 2.121.3

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Jesse Glick, CloudBees, Inc. for SECURITY-637
  • Orange Tsai(@orange_8361) from DEVCORE for SECURITY-1071
  • Thomas de Grenier de Latour for SECURITY-790
  • Wadeck Follonier, CloudBees, Inc. for SECURITY-1076
  • Wadeck Follonier, CloudBees, Inc., and, independently, Nimrod Stoler of CyberArk Labs for SECURITY-672