Jenkins Security Advisory 2019-04-30

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

CSRF vulnerability and missing permission check allowed changing default graph configuration in analysis-core Plugin

SECURITY-1100 / CVE-2019-10307 (CSRF) and CVE-2019-10308 (permission check)

analysis-core Plugin has the capability to allow other plugins to display trend graphs for their static analysis results. analysis-core Plugin provides the configuration form for the default settings of each graph.

The configuration form and form submission handler did not perform a permission check, allowing attackers with Job/Read access to change the per-job graph configuration defaults for all users.

Additionally, the form submission handler did not require POST requests, resulting in a cross-site request forgery vulnerability.

analysis-core Plugin now requires Job/Configure permission and POST requests to configure the per-job graph defaults for all users.

SiteMonitor Plugin globally and unconditionally disables SSL/TLS certificate validation

SECURITY-930 / CVE-2019-10317

SiteMonitor Plugin unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM.

SiteMonitor Plugin no longer does that. Instead, it now has an opt-in option to ignore SSL/TLS errors for each site check individually.

XXE vulnerability via UDP broadcast response in Swarm Plugin client

SECURITY-1252 / CVE-2019-10309

Swarm Plugin allows clients to auto-discover Jenkins instances on the same network through a UDP discovery request. Responses to this request are XML documents.

Swarm Plugin does not configure the XML parser in a way that would prevent XML External Entity (XXE) processing. This allows unauthenticated attackers on the same network to have Swarm clients parse a maliciously crafted XML response that uses external entities to read arbitrary files from the Swarm client or denial-of-service attacks.

As of publication of this advisory, there is no fix.

CSRF vulnerability and missing permission check in Ansible Tower Plugin allowed capturing credentials

SECURITY-1355 (1) / CVE-2019-10310 (CSRF) and CVE-2019-10311 (permission check)

Ansible Tower Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

Users with Overall/Read access are able to enumerate credential IDs in Ansible Tower Plugin

SECURITY-1355 (2) / CVE-2019-10312

Ansible Tower Plugin provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.

This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in this plugin now requires Overall/Administer permission.

Azure AD Plugin stored credentials in plain text

SECURITY-1390 / CVE-2019-10318

Azure AD Plugin stored the client secret unencrypted in the global config.xml configuration file on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system.

Azure AD Plugin now stores the client secret encrypted.

Twitter Plugin stores credentials in plain text

SECURITY-1143 / CVE-2019-10313

Twitter Plugin stores credentials unencrypted in its global configuration file on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

Koji Plugin globally and unconditionally disables SSL/TLS certificate validation

SECURITY-936 / CVE-2019-10314

Koji Plugin unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM.

As of publication of this advisory, there is no fix.

CSRF vulnerability in OAuth callback in GitHub Authentication Plugin

SECURITY-443 / CVE-2019-10315

GitHub Authentication Plugin did not manage the state parameter of OAuth to prevent CSRF. This allowed an attacker to catch the redirect URL provided during the authentication process using OAuth and send it to the victim. If the victim was already connected to Jenkins, their Jenkins account would be attached to the attacker’s GitHub account.

The state parameter is now correctly managed.

Aqua MicroScanner Plugin stored credentials in plain text

SECURITY-1380 / CVE-2019-10316

Aqua MicroScanner Plugin stored credentials unencrypted in its global configuration file on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system.

Aqua MicroScanner Plugin now stores credentials encrypted.

Severity

Affected Versions

  • analysis-core Plugin up to and including 1.95
  • Ansible Tower Plugin up to and including 0.9.1
  • Aqua MicroScanner Plugin up to and including 1.0.5
  • Azure AD Plugin up to and including 0.3.3
  • GitHub Authentication Plugin up to and including 0.31
  • Koji Plugin up to and including 0.3
  • SiteMonitor Plugin up to and including 0.5
  • Swarm Plugin up to and including 3.15
  • Twitter Plugin up to and including 0.7

Fix

  • analysis-core Plugin should be updated to version 1.96
  • Ansible Tower Plugin should be updated to version 0.9.2
  • Aqua MicroScanner Plugin should be updated to version 1.0.6
  • Azure AD Plugin should be updated to version 0.3.4
  • GitHub Authentication Plugin should be updated to version 0.32
  • SiteMonitor Plugin should be updated to version 0.6

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

  • Koji Plugin
  • Swarm Plugin
  • Twitter Plugin

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Daniel Beck, CloudBees, Inc. for SECURITY-930, SECURITY-936
  • Mark Combellack, CafeX Communications for SECURITY-1390
  • Oleg Nenashev, CloudBees, Inc. for SECURITY-1100
  • Peter Adkins of Cisco Umbrella for SECURITY-1252, SECURITY-1355 (1), SECURITY-1355 (2)
  • Takashi Suzuki(@taka_1690) for SECURITY-443