Subject: [ASA-201704-8] jenkins: multiple issues Arch Linux Security Advisory ASA-201704-8 ========================================= Severity: High Date : 2017-04-27 CVE-ID : CVE-2017-1000354 CVE-2017-1000355 CVE-2017-1000356 Package : jenkins Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-255 Summary ======= The package jenkins before version 2.57-1 is vulnerable to multiple issues including cross-site request forgery, privilege escalation and arbitrary code execution. Resolution ========== Upgrade to 2.57-1. # pacman -Syu "jenkins>=2.57-1" The problems have been fixed upstream in version 2.57. Workaround ========== None. Description =========== - CVE-2017-1000354 (privilege escalation) The login command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance. This has been fixed by storing the cached authentication as a hash- based MAC with a key specific to the Jenkins instance and the CLI authentication cache. Previously cached authentications are invalidated when upgrading Jenkins to a version containing a fix for this. - CVE-2017-1000355 (arbitrary code execution) Jenkins uses the XStream library to serialize and deserialize XML. Its maintainer recently published a security vulnerability that allows anyone able to provide XML to Jenkins for processing using XStream to crash the Java process. In Jenkins this typically applies to users with permission to create or configure items (jobs), views, or agents. Jenkins now prohibits the attempted deserialization of void / Void that results in a crash. - CVE-2017-1000356 (cross-site request forgery) Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allowed malicious users to perform several administrative actions by tricking a victim into opening a web page. The most notable ones: SECURITY-412: Restart Jenkins immediately, after all builds are finished, or after all plugin installations and builds are finished SECURITY-412: Schedule a downgrade of Jenkins to a previously installed version if Jenkins previously upgraded itself SECURITY-413: Install and (optionally) dynamically load any plugin present on a configured update site SECURITY-414: Remove any update site from the Jenkins configuration SECURITY-415: Change a user’s API token SECURITY-416: Submit system configuration SECURITY-417: Submit global security configuration SECURITY-418, SECURITY-420: For Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process SECURITY-419: Create a new agent, possibly executing arbitrary shell commands on the master node by choosing the appropriate launch method SECURITY-420: Update the node monitor data on all agents Impact ====== A remote attacker can escalate privileges, execute arbitrary code or execute cross-site request forgery which allows the attacker to perform several administrative actions. References ========== https://jenkins.io/security/advisory/2017-04-26/ http://seclists.org/oss-sec/2017/q2/132 http://www.openwall.com/lists/oss-security/2017/04/03/4 https://security.archlinux.org/CVE-2017-1000354 https://security.archlinux.org/CVE-2017-1000355 https://security.archlinux.org/CVE-2017-1000356