-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
3892ea2
commit eba6d08
Showing
5 changed files
with
179 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
--- | ||
:layout: post | ||
:title: Important security updates for Jenkins | ||
:tags: | ||
- core | ||
- security | ||
:author: daniel-beck | ||
--- | ||
|
||
We just released security updates to Jenkins, versions 2.146 and 2.138.2, that fix multiple security vulnerabilities. | ||
|
||
For an overview of what was fixed, see the link:/security/advisory/2018-10-10[security advisory]. | ||
For an overview on the possible impact of these changes on upgrading Jenkins LTS, see our link:/doc/upgrade-guide/2.138/#upgrading-to-jenkins-lts-2-138-2[LTS upgrade guide]. | ||
|
||
### Further improvements | ||
|
||
In addition to the security fixes listed in the security advisory, we also applied multiple improvements that make future security vulnerabilities more difficult, or even impossible to exploit. | ||
|
||
One such improvement concerns cross-site scripting vulnerabilities, and comes with a risk of regressions. | ||
|
||
Jenkins uses a fork of https://commons.apache.org/proper/commons-jelly/[Jelly] for the vast majority of the views it renders. | ||
Since 2011, it includes a feature that lets view authors opt in or out of automatic escaping of variable values for rendering in HTML, and since 2016, the plugin build tooling requires that views explicitly specify whether to apply this automatic escaping. | ||
Details are available in link:/doc/developer/security/xss-prevention/[the developer documentation]. | ||
|
||
Until now, if views do not declare whether to automatically escape, they were rendered without automatic escaping, and developers were expected to explicitly escape every variable reference that was not supposed to contain markup. | ||
This has resulted in a number of cross-site scripting (XSS) vulnerabilities, most recently link:/security/advisory/2018-09-25/#SECURITY-1130[SECURITY-1130 in Job Config History Plugin]. | ||
|
||
For that reason, we have decided to enable this automatic escaping by default if plugins do not specify a preference. | ||
This can result in problems with some plugins if they need their output to remain unescaped. | ||
We expect that those plugins will adapt pretty quickly to this change, as the fix is typically straightforward. | ||
|
||
In the mean time, users can set the https://wiki.jenkins.io/display/JENKINS/Features+controlled+by+system+properties[system property] `org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault` to `false` to disable this additional protection. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,107 @@ | ||
--- | ||
layout: advisory | ||
title: Jenkins Security Advisory 2018-10-10 | ||
section: security | ||
kind: core | ||
core: | ||
lts: | ||
previous: 2.138.1 | ||
fixed: 2.138.2 | ||
weekly: | ||
previous: 2.145 | ||
fixed: 2.146 | ||
issues: | ||
|
||
- id: SECURITY-867 | ||
title: Path traversal vulnerability in Stapler allowed accessing internal data | ||
reporter: Apple Information Security | ||
cve: CVE pending | ||
cvss: | ||
severity: medium | ||
vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | ||
description: | | ||
A path traversal vulnerability in Stapler allowed viewing routable objects with views defined on any type. | ||
This could be used to access internal data of routable objects, commonly by showing their string representation (`#toString()`). | ||
|
||
- id: SECURITY-1074 | ||
title: Arbitrary file write vulnerability using file parameter definitions | ||
reporter: Oleg Nenashev | ||
cve: CVE pending | ||
cvss: | ||
severity: medium | ||
vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N | ||
# TODO possibly higher? | ||
description: | | ||
Users with Job/Configure permission could specify a relative path escaping the base directory in the file name portion of a file parameter definition. | ||
This path would be used to archive the uploaded file on the Jenkins master, resulting in an arbitrary file write vulnerability. | ||
|
||
File parameters that escape the base directory are no longer accepted and the build will fail. | ||
|
||
- id: SECURITY-1129 | ||
title: Reflected XSS vulnerability | ||
reporter: Evan Grant of Tenable | ||
cve: CVE pending | ||
cvss: | ||
severity: medium | ||
vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | ||
description: | | ||
The `wrapper` query parameter for the XML variant of the Jenkins remote API did not validate the specified tag name. | ||
This resulted in a reflected cross-site scripting vulnerability. | ||
|
||
Only legal XML tag names are now allowed for the `wrapper` query parameter. | ||
|
||
- id: SECURITY-1162 | ||
title: Ephemeral user record was created on some invalid authentication attempts | ||
reporter: Zhao Xiaojie | ||
cve: CVE-2018-1999043 | ||
cvss: | ||
severity: medium | ||
vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L | ||
description: | | ||
When attempting to authenticate using API token, an ephemeral user record was created to validate the token in case an external security realm was used, and the user record in Jenkins not previously saved, as (legacy) API tokens could exist without a persisted user record. | ||
|
||
This behavior could be abused to create a large number of ephemeral user records in memory. | ||
|
||
This is the same vulnerability as link:/security/advisory/2018-08-15/#SECURITY-672[SECURITY-672]. | ||
The fix for SECURITY-672 was previously incorrectly applied and therefore not effective. | ||
This has been fixed. | ||
|
||
- id: SECURITY-1128 | ||
title: Ephemeral user record creation | ||
reporter: Evan Grant of Tenable | ||
cve: CVE pending | ||
cvss: | ||
severity: medium | ||
vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L | ||
description: | | ||
By accessing a specific crafted URL on Jenkins instances using _Jenkins' own user database_, users without Overall/Read access could create ephemeral user records. | ||
|
||
This behavior could be abused to create a large number of ephemeral user records in memory. | ||
|
||
Accessing this URL now no longer results in a user record getting created. | ||
|
||
- id: SECURITY-1158 | ||
title: Session fixation vulnerability on user signup | ||
reporter: Wadeck Follonier, CloudBees, Inc. | ||
cve: CVE pending | ||
cvss: | ||
severity: medium | ||
vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | ||
description: | | ||
When signing up for a new user account on instances using _Jenkins' own user database_, Jenkins did not invalidate the existing session and create a new one. | ||
This allowed session fixation. | ||
|
||
Jenkins now invalidates the existing session and creates a new one when logging in after user signup. | ||
|
||
- id: SECURITY-765 | ||
title: Failures to process form submission data could result in secrets being displayed or written to logs | ||
reporter: Sam Gleske | ||
cve: CVE pending | ||
cvss: | ||
severity: low | ||
vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N | ||
description: | | ||
When Jenkins fails to process form submissions due to an internal error, the error message shown to the user and written to the log typically includes the serialized JSON form submission. | ||
Secrets, such as submitted passwords, might be included with the JSON object, and shown or written to disk in plain text. | ||
|
||
Jenkins now masks values in these error messages from view if they were shown on the UI as password form fields. |