[arch-security] [ASA-201511-11] jenkins: multiple issues

Wed Nov 18 02:02:15 UTC 2015

Arch Linux Security Advisory ASA-201511-11
==========================================

Severity: Critical
Date    : 2015-11-18
CVE-ID  : CVE-2015-5317 CVE-2015-5318 CVE-2015-5319 CVE-2015-5320
          CVE-2015-5321 CVE-2015-5322 CVE-2015-5323 CVE-2015-5324
          CVE-2015-5325 CVE-2015-5326 CVE-2015-8103
Package : jenkins
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package jenkins before version 1.638-1 is vulnerable to multiple
issues including but not limited to arbitrary code execution,
information leakage, cross-side request forgery, XML external entity
injection, access restriction bypass, cross-side scripting and directory
traversal.

Resolution
==========

Upgrade to 1.638-1.

# pacman -Syu "jenkins>=1.638-1"

The problems have been fixed upstream in version 1.638.

Workaround
==========

None.

Description
===========

- CVE-2015-5317 (information leakage)

The Jenkins UI allowed users to see the names of jobs and builds
otherwise inaccessible to them on the "Fingerprints" pages if those
shared file fingerprints with fingerprinted files in accessible jobs.

- CVE-2015-5318 (cross-side request forgery)

The salt used to generate the CSRF protection tokens was a publicly
accessible value, allowing malicious users to circumvent CSRF protection
by generating the correct token.

- CVE-2015-5319 (XML external entity injection)

When creating a job using the create-job CLI command, external entities
are not discarded (nor processed). If these job configurations are
processed by another user with an XML-aware tool (e.g. using
get-job/update-job), information from that user's computer may be
disclosed to Jenkins and the attacker.

- CVE-2015-5320 (access restriction bypass)

JNLP slave connections did not verify that the correct secret was
supplied, which allowed malicious users to connect their own machines as
slaves to Jenkins knowing only the name of the slave. This enables
attackers to take over Jenkins (unless the slave-to-master security
subsystem is enabled) or gain access to private data like keys and
source code.

- CVE-2015-5321 (information leakage)

The CLI command overview and help pages in Jenkins were accessible
without Overall/Read permission, resulting in disclosure of the names of
configured slaves (and contents of other sidepanel widgets, if present)
to unauthorized users.

- CVE-2015-5322 (directory traversal)

Access to the /jnlpJars/ URL was not limited to the specific JAR files
users needed to access, allowing browsing directories and downloading
other files in the Jenkins servlet resources, such as web.xml.

- CVE-2015-5323 (access restriction bypass)

API tokens of other users were exposed to admins by default. On
instances that don't implicitly grant RunScripts permission to admins,
this allowed admins to run scripts with another user's credentials.

- CVE-2015-5324 (information leakage)

The /queue/api URL could return information about items not accessible
to the current user (such as parameter names and values, build names,
project descriptions).

- CVE-2015-5325 (access restriction bypass)

Slaves connecting via JNLP were not subject to the optional
slave-to-master access control documented at
http://jenkins-ci.org/security-144 (CVE-2014-3665).

- CVE-2015-5326 (cross-side scripting)

Users with the permission to take slave nodes offline can enter
arbitrary HTML that gets shown unescaped to users visiting the slave
overview page.

- CVE-2015-8103 (arbitrary code execution)

Unsafe deserialization allows unauthenticated remote attackers to run
arbitrary code on the Jenkins master.

Impact
======

A remote attacker is able to execution arbitrary code, disclose
sensitive information, bypass the cross-side request forgery protection,
perform XML external entity injection, bypass multiple access
restrictions, perform a cross-side scripting attack and make use of a
directory traversal issue to download arbitrary files.

References
==========

https://access.redhat.com/security/cve/CVE-2015-5317
https://access.redhat.com/security/cve/CVE-2015-5318
https://access.redhat.com/security/cve/CVE-2015-5319
https://access.redhat.com/security/cve/CVE-2015-5320
https://access.redhat.com/security/cve/CVE-2015-5321
https://access.redhat.com/security/cve/CVE-2015-5322
https://access.redhat.com/security/cve/CVE-2015-5323
https://access.redhat.com/security/cve/CVE-2015-5324
https://access.redhat.com/security/cve/CVE-2015-5325
https://access.redhat.com/security/cve/CVE-2015-5326
https://access.redhat.com/security/cve/CVE-2015-8103
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20151118/b01242c0/attachment.asc>