Arch Linux Security Advisory ASA-202111-1 ========================================= Severity: Critical Date : 2021-11-05 CVE-ID : CVE-2021-21685 CVE-2021-21686 CVE-2021-21687 CVE-2021-21688 CVE-2021-21689 CVE-2021-21690 CVE-2021-21691 CVE-2021-21692 CVE-2021-21693 CVE-2021-21694 CVE-2021-21695 CVE-2021-21696 CVE-2021-21697 Package : jenkins Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2526 Summary ======= The package jenkins before version 2.319-1 is vulnerable to multiple issues including arbitrary filesystem access and sandbox escape. Resolution ========== Upgrade to 2.319-1. # pacman -Syu "jenkins>=2.319-1" The problems have been fixed upstream in version 2.319. Workaround ========== If you are unable to immediately upgrade to Jenkins 2.319 right away, you can install the Remoting Security Workaround Plugin. It will prevent all agent-to-controller file access using FilePath APIs. Because it is more restrictive than Jenkins 2.319, more plugins are incompatible with it. Make sure to read the plugin documentation before installing it. Description =========== - CVE-2021-21685 (arbitrary filesystem access) A security issue has been found in Jenkins before version 2.319. FilePath#mkdirs does not check permission to create parent directories. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems. - CVE-2021-21686 (arbitrary filesystem access) A security issue has been found in Jenkins before version 2.319. File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems. - CVE-2021-21687 (arbitrary filesystem access) A security issue has been found in Jenkins before version 2.319. FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems. - CVE-2021-21688 (arbitrary filesystem access) A security issue has been found in Jenkins before version 2.319. FilePath#reading(FileVisitor) does not reject any operations, allowing users to have unrestricted read access using certain operations (creating archives, #copyRecursiveTo). This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems. - CVE-2021-21689 (arbitrary filesystem access) A security issue has been found in Jenkins before version 2.319. FilePath#unzip and FilePath#untar were not subject to any access control. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems. - CVE-2021-21690 (arbitrary filesystem access) A security issue has been found in Jenkins before version 2.319. Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems. - CVE-2021-21691 (arbitrary filesystem access) A security issue has been found in Jenkins before version 2.319. Creating symbolic links is possible without the symlink permission. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems. - CVE-2021-21692 (arbitrary filesystem access) A security issue has been found in Jenkins before version 2.319. The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems. - CVE-2021-21693 (arbitrary filesystem access) A security issue has been found in Jenkins before version 2.319. When creating temporary files, permission to create files is only checked after they’ve been created. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems. - CVE-2021-21694 (arbitrary filesystem access) A security issue has been found in Jenkins before version 2.319. FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems. - CVE-2021-21695 (arbitrary filesystem access) A security issue has been found in Jenkins before version 2.319. FilePath#listFiles lists files outside directories with agent read access when following symbolic links. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems. - CVE-2021-21696 (sandbox escape) Jenkins before version 2.319 does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs. This directory is used by the "Pipeline: Shared Groovy Libraries" Plugin to store copies of shared libraries. This allows attackers in control of agent processes to replace the code of a trusted library with a modified variant, resulting in unsandboxed code execution in the Jenkins controller process. Jenkins 2.319 prohibits agent read/write access to the libs/ directory inside build directories. - CVE-2021-21697 (arbitrary filesystem access) Agents are allowed some limited access to files on the Jenkins controller file system. The directories agents are allowed to access in Jenkins before 2.319 include the directories storing build-related information, intended to allow agents to store build-related metadata during build execution. As a consequence, this allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions (build.xml and some Pipeline-related metadata). Jenkins 2.319 prevents agents from accessing contents of build directories unless it’s for builds currently running on the agent attempting to access the directory. Impact ====== Agent processes could read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems. References ========== https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455 https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2423 https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428 https://security.archlinux.org/CVE-2021-21685 https://security.archlinux.org/CVE-2021-21686 https://security.archlinux.org/CVE-2021-21687 https://security.archlinux.org/CVE-2021-21688 https://security.archlinux.org/CVE-2021-21689 https://security.archlinux.org/CVE-2021-21690 https://security.archlinux.org/CVE-2021-21691 https://security.archlinux.org/CVE-2021-21692 https://security.archlinux.org/CVE-2021-21693 https://security.archlinux.org/CVE-2021-21694 https://security.archlinux.org/CVE-2021-21695 https://security.archlinux.org/CVE-2021-21696 https://security.archlinux.org/CVE-2021-21697