Add 2018-10-10 security advisory

content/_data/changelogs/lts.yml

@@ -2008,6 +2008,14 @@
     references:
     - url: https://jenkins.io/security/advisory/2018-10-10/
       title: security advisory
+  - type: major rfe
+    message: >
+      Security hardening: Escape variables in Jelly views by default.
+    references:
+      - url: /blog/2018/10/10/security-updates/
+        title: announcement blog post
+      - url: /doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities
+        title: LTS upgrade guide
   - type: major bug
     references:
     - issue: 53239
@@ -2017,6 +2025,10 @@
     pull: 3602
     message: >
       Update Winstone-Jetty from 4.4 to 5.0 to fix HTTP/2 support and threading problems on hosts with 30+ cores.
+  - type: rfe
+    message: Security hardening related to Stapler routing.
+  - type: rfe
+    message: Security hardening related to HTTP verb restrictions for web methods.
   - type: rfe
     pull: 3604
     references:

content/_data/changelogs/weekly.yml

@@ -3422,6 +3422,26 @@
     # pull: 3684 too minor (CLI help JENKINS-53792)
     # pull: 3681 too minor (icon size i18n)
     # pull: 3679 smoke test profile, doc update
+- version: "2.146"
+  date: 2018-10-10
+  changes:
+  - type: security
+    message: Important security fixes.
+    references:
+    - url: https://jenkins.io/security/advisory/2018-10-10/
+      title: security advisory
+  - type: major rfe
+    message: >
+      Security hardening: Escape variables in Jelly views by default.
+    references:
+    - url: /blog/2018/10/10/security-updates/
+      title: announcement blog post
+    - url: /doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities
+      title: LTS upgrade guide
+  - type: rfe
+    message: Security hardening related to Stapler routing.
+  - type: rfe
+    message: Security hardening related to HTTP verb restrictions for web methods.
 
 # DO NOT EDIT THIS FILE DIRECTLY ON GITHUB IF YOU HAVE COMMIT ACCESS
 # ALL CHANGES MUST GO THROUGH PULL REQUESTS

content/blog/2018/10/2018-10-10-security-updates.adoc

@@ -0,0 +1,32 @@
+---
+:layout: post
+:title: Important security updates for Jenkins
+:tags:
+- core
+- security
+:author: daniel-beck
+---
+
+We just released security updates to Jenkins, versions 2.146 and 2.138.2, that fix multiple security vulnerabilities.
+
+For an overview of what was fixed, see the link:/security/advisory/2018-10-10[security advisory].
+For an overview on the possible impact of these changes on upgrading Jenkins LTS, see our link:/doc/upgrade-guide/2.138/#upgrading-to-jenkins-lts-2-138-2[LTS upgrade guide].
+
+### Further improvements
+
+In addition to the security fixes listed in the security advisory, we also applied multiple improvements that make future security vulnerabilities more difficult, or even impossible to exploit.
+
+One such improvement concerns cross-site scripting vulnerabilities, and comes with a risk of regressions.
+
+Jenkins uses a fork of https://commons.apache.org/proper/commons-jelly/[Jelly] for the vast majority of the views it renders.
+Since 2011, it includes a feature that lets view authors opt in or out of automatic escaping of variable values for rendering in HTML, and since 2016, the plugin build tooling requires that views explicitly specify whether to apply this automatic escaping.
+Details are available in link:/doc/developer/security/xss-prevention/[the developer documentation].
+
+Until now, if views do not declare whether to automatically escape, they were rendered without automatic escaping, and developers were expected to explicitly escape every variable reference that was not supposed to contain markup.
+This has resulted in a number of cross-site scripting (XSS) vulnerabilities, most recently link:/security/advisory/2018-09-25/#SECURITY-1130[SECURITY-1130 in Job Config History Plugin].
+
+For that reason, we have decided to enable this automatic escaping by default if plugins do not specify a preference.
+This can result in problems with some plugins if they need their output to remain unescaped.
+We expect that those plugins will adapt pretty quickly to this change, as the fix is typically straightforward.
+
+In the mean time, users can set the https://wiki.jenkins.io/display/JENKINS/Features+controlled+by+system+properties[system property] `org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault` to `false` to disable this additional protection.

content/doc/upgrade-guide/2.138.adoc

@@ -10,7 +10,14 @@ Each section covers the upgrade from the previous LTS release, the section on 2.
 
 === Upgrading to Jenkins LTS 2.138.2
 
-No notable changes requiring upgrade notes.
+==== Security hardening to prevent XSS vulnerabilities
+
+A security hardening to prevent cross-site scripting vulnerabilities from being exploitable was applied to views in Jenkins.
+This can in rare cases result in views having some content escaped twice (typically resulting in visible HTML entities).
+
+We consider these effects to be a bug in plugins that either opt out of the default test suite, or use outdated toolchains.
+
+As a temporary workaround, this hardening can be disabled by setting the system property `org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault` to `false`.
 
 === Upgrading to Jenkins LTS 2.138.1
 

content/security/advisory/2018-10-10.adoc

@@ -0,0 +1,107 @@
+---
+layout: advisory
+title: Jenkins Security Advisory 2018-10-10
+section: security
+kind: core
+core:
+  lts:
+    previous: 2.138.1
+    fixed: 2.138.2
+  weekly:
+    previous: 2.145
+    fixed: 2.146
+issues:
+
+- id: SECURITY-867
+  title: Path traversal vulnerability in Stapler allowed accessing internal data
+  reporter: Apple Information Security
+  cve: CVE pending
+  cvss:
+    severity: medium
+    vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
+  description: |
+    A path traversal vulnerability in Stapler allowed viewing routable objects with views defined on any type.
+    This could be used to access internal data of routable objects, commonly by showing their string representation (`#toString()`).
+
+- id: SECURITY-1074
+  title: Arbitrary file write vulnerability using file parameter definitions
+  reporter: Oleg Nenashev
+  cve: CVE pending
+  cvss:
+    severity: medium
+    vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
+    # TODO possibly higher?
+  description: |
+    Users with Job/Configure permission could specify a relative path escaping the base directory in the file name portion of a file parameter definition.
+    This path would be used to archive the uploaded file on the Jenkins master, resulting in an arbitrary file write vulnerability.
+
+    File parameters that escape the base directory are no longer accepted and the build will fail.
+
+- id: SECURITY-1129
+  title: Reflected XSS vulnerability
+  reporter: Evan Grant of Tenable
+  cve: CVE pending
+  cvss:
+    severity: medium
+    vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+  description: |
+    The `wrapper` query parameter for the XML variant of the Jenkins remote API did not validate the specified tag name.
+    This resulted in a reflected cross-site scripting vulnerability.
+
+    Only legal XML tag names are now allowed for the `wrapper` query parameter.
+
+- id: SECURITY-1162
+  title: Ephemeral user record was created on some invalid authentication attempts
+  reporter: Zhao Xiaojie
+  cve: CVE-2018-1999043
+  cvss:
+    severity: medium
+    vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
+  description: |
+    When attempting to authenticate using API token, an ephemeral user record was created to validate the token in case an external security realm was used, and the user record in Jenkins not previously saved, as (legacy) API tokens could exist without a persisted user record.
+
+    This behavior could be abused to create a large number of ephemeral user records in memory.
+
+    This is the same vulnerability as link:/security/advisory/2018-08-15/#SECURITY-672[SECURITY-672].
+    The fix for SECURITY-672 was previously incorrectly applied and therefore not effective.
+    This has been fixed.
+
+- id: SECURITY-1128
+  title: Ephemeral user record creation
+  reporter: Evan Grant of Tenable
+  cve: CVE pending
+  cvss:
+    severity: medium
+    vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
+  description: |
+    By accessing a specific crafted URL on Jenkins instances using _Jenkins' own user database_, users without Overall/Read access could create ephemeral user records.
+
+    This behavior could be abused to create a large number of ephemeral user records in memory.
+
+    Accessing this URL now no longer results in a user record getting created.
+
+- id: SECURITY-1158
+  title: Session fixation vulnerability on user signup
+  reporter: Wadeck Follonier, CloudBees, Inc.
+  cve: CVE pending
+  cvss:
+    severity: medium
+    vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
+  description: |
+    When signing up for a new user account on instances using _Jenkins' own user database_, Jenkins did not invalidate the existing session and create a new one.
+    This allowed session fixation.
+
+    Jenkins now invalidates the existing session and creates a new one when logging in after user signup.
+
+- id: SECURITY-765
+  title: Failures to process form submission data could result in secrets being displayed or written to logs
+  reporter: Sam Gleske
+  cve: CVE pending
+  cvss:
+    severity: low
+    vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
+  description: |
+    When Jenkins fails to process form submissions due to an internal error, the error message shown to the user and written to the log typically includes the serialized JSON form submission.
+    Secrets, such as submitted passwords, might be included with the JSON object, and shown or written to disk in plain text.
+
+    Jenkins now masks values in these error messages from view if they were shown on the UI as password form fields.