Bug 1022042

Summary:	VUL-0: jenkins: multiple vulerabilities fixes in 2017-02-01 release
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Andreas Stieger <astieger>
Component:	Incidents	Assignee:	J. Daniel Schmidt <jdsn>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	jdsn, speilicke
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/179178/
Whiteboard:	CVSSv2:NVD:CVE-2017-1000362:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2017-2598:4.0:(AV:N/AC:L/Au:S/C:P/I:N/A:N) CVSSv2:NVD:CVE-2017-2599:5.5:(AV:N/AC:L/Au:S/C:P/I:P/A:N) CVSSv2:NVD:CVE-2017-2600:4.0:(AV:N/AC:L/Au:S/C:P/I:N/A:N) CVSSv2:NVD:CVE-2017-2601:3.5:(AV:N/AC:M/Au:S/C:N/I:P/A:N) CVSSv2:NVD:CVE-2017-2602:4.0:(AV:N/AC:L/Au:S/C:N/I:P/A:N) CVSSv2:NVD:CVE-2017-2603:3.5:(AV:N/AC:M/Au:S/C:P/I:N/A:N) CVSSv2:NVD:CVE-2017-2604:4.0:(AV:N/AC:L/Au:S/C:N/I:P/A:N) CVSSv2:NVD:CVE-2017-2606:4.0:(AV:N/AC:L/Au:S/C:P/I:N/A:N) CVSSv2:NVD:CVE-2017-2607:3.5:(AV:N/AC:M/Au:S/C:N/I:P/A:N) CVSSv2:NVD:CVE-2017-2608:6.5:(AV:N/AC:L/Au:S/C:P/I:P/A:P) CVSSv2:NVD:CVE-2017-2609:4.0:(AV:N/AC:L/Au:S/C:P/I:N/A:N) CVSSv2:NVD:CVE-2017-2610:3.5:(AV:N/AC:M/Au:S/C:N/I:P/A:N) CVSSv2:NVD:CVE-2017-2611:4.0:(AV:N/AC:L/Au:S/C:N/I:N/A:P) CVSSv2:NVD:CVE-2017-2612:5.5:(AV:N/AC:L/Au:S/C:N/I:P/A:P) CVSSv2:NVD:CVE-2017-2613:5.8:(AV:N/AC:M/Au:N/C:N/I:P/A:P) CVSSv3:NVD:CVE-2017-1000362:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3:NVD:CVE-2017-2598:4.3:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) CVSSv3:NVD:CVE-2017-2599:5.4:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) CVSSv3:NVD:CVE-2017-2600:4.3:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) CVSSv3:NVD:CVE-2017-2601:5.4:(AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSSv3:NVD:CVE-2017-2602:4.3:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) CVSSv3:NVD:CVE-2017-2603:3.5:(AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) CVSSv3:NVD:CVE-2017-2604:4.3:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) CVSSv3:NVD:CVE-2017-2606:4.3:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) CVSSv3:NVD:CVE-2017-2607:5.4:(AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSSv3:NVD:CVE-2017-2608:8.8:(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSSv3:NVD:CVE-2017-2609:4.3:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) CVSSv3:NVD:CVE-2017-2610:5.4:(AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSSv3:NVD:CVE-2017-2611:4.3:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) CVSSv3:NVD:CVE-2017-2612:5.4:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) CVSSv3:NVD:CVE-2017-2613:5.4:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L) CVSSv3:RedHat:CVE-2017-1000362:4.0:(AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVSSv3:RedHat:CVE-2017-2598:4.3:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) CVSSv3:RedHat:CVE-2017-2599:5.4:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) CVSSv3:RedHat:CVE-2017-2600:4.3:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) CVSSv3:RedHat:CVE-2017-2601:6.1:(AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVSSv3:RedHat:CVE-2017-2602:3.1:(AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N) CVSSv3:RedHat:CVE-2017-2603:2.6:(AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N) CVSSv3:RedHat:CVE-2017-2604:4.3:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) CVSSv3:RedHat:CVE-2017-2606:4.3:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) CVSSv3:RedHat:CVE-2017-2607:4.2:(AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N) CVSSv3:RedHat:CVE-2017-2608:8.8:(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSSv3:RedHat:CVE-2017-2609:4.3:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) CVSSv3:RedHat:CVE-2017-2610:5.4:(AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSSv3:RedHat:CVE-2017-2611:4.3:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) CVSSv3:RedHat:CVE-2017-2612:5.4:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) CVSSv3:RedHat:CVE-2017-2613:5.4:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Andreas Stieger 2017-01-26 09:47:32 UTC

EMBARGOED via distros
CRD: 2017-02-01

SECURITY-304: Use of AES ECB block cipher mode without IV for encrypting secrets
Secrets such as passwords are typically stored on disk and sent to users as part of some pages in encrypted form. These were encrypted using AES-128 ECB without IV. Jenkins now encrypts secrets using AES-128 CBC with random IV.

SECURITY-321: Items could be created with same name as existing item
An insufficient permisson check allowed users with the permission to create new items (e.g. jobs) to overwrite existing items they don't have access to. After a Jenkins restart, children of the original item, such as builds, were then accessible in some circumstances.

SECURITY-343: Node monitor data could be viewed by low privilege users
Overall/Read permission was sufficient to access node monitor data via the remote API. These included system configuration and runtime information of these nodes.

SECURITY-353: Persisted cross-site scripting vulnerability in parameter names and descriptions
Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.

SECURITY-358: Pipeline metadata files not blacklisted in agent-to-master security subsystem
The Pipeline suite of plugins stored build metadata in the file program.dat and the directory workflow/. These were not blacklisted in the agent-to-master security subsystem and could therefore be written to by malicious agents.

SECURITY-362: User data leak in disconnected agents' config.xml API
Agents that were disconnected by users contained the disconnecting user's User object in serialized form in the /computer/id/config.xml remote API output. This could leak sensitive data such as API tokens.

SECURITY-371: Low privilege users were able to act on administrative monitors
Administrative monitors are warnings about the system state shown to Jenkins admins. They sometimes provide actions to e.g. automatically address the reported problem, or disable the warning. These actions were not consistently protected by permission checks, thereby allowing low privilege users to act on them.

SECURITY-376: Re-key admin monitor leaves behind unencrypted credentials in upgraded installations
The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups had the same file permissions as the rest of the Jenkins home directory and were not removed afterwards.

SECURITY-380: Internal API allowed access to item names that should not be visible
The method Jenkins#getItems() included a performance optimization that resulted in all items being returned if the "Logged in users can do anything" authorization strategy was used, and no access was granted to anonymous users (an option added in Jenkins 2.0). This only affects anonymous users (other users would legitimately have access) that were able to get a list of items via an UnprotectedRootAction.

SECURITY-382: Persisted cross-site scripting vulnerability in console notes
Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Popular examples include the highlighting of sections by Ant Plugin, or the timestamp metadata from Timestamper Plugin. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs.

SECURITY-383: XStream remote code execution vulnerability
XStream-based APIs in Jenkins (e.g. /createItem URLs, or POST config.xml remote API) were vulnerable to a remote code execution vulnerability involving the deserialization of various types in the javax.imageio package.

SECURITY-385: Information disclosure vulnerability in search suggestions
The autocompletion for the search box provided the names of views the current user does not have access to in its suggestions.

SECURITY-388: Persisted cross-site scripting vulnerability in search suggestions
Jenkins allows the creation of users with less-than and greater-than characters in their names. These user names were not escaped when displaying search suggestions, resulting in a cross-site scripting vulnerability.

SECURITY-389: Insufficient permission check for periodic processes
The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.

SECURITY-392: Low privilege users were able to override JDK download credentials
Jenkins allows administrators to enter their username and password to the Oracle download site which provides JDKs for download. Users with read access to Jenkins were able to override these credentials, resulting in future builds possibly failing to download a JDK.

SECURITY-406: User creation CSRF using GET by admins
When administrators accessed a URL like /user/example via HTTP GET, a user with the ID `example` was created if it did not exist. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records.

Comment 4 Swamp Workflow Management 2017-01-26 23:00:28 UTC

bugbot adjusting priority

Comment 5 Andreas Stieger 2017-01-30 16:45:39 UTC

SECURITY-304: CVE-2017-2598
SECURITY-321: CVE-2017-2599
SECURITY-343: CVE-2017-2600
SECURITY-353: CVE-2017-2601
SECURITY-358: CVE-2017-2602
SECURITY-362: CVE-2017-2603
SECURITY-371: CVE-2017-2604
SECURITY-376: CVE-2017-2605
SECURITY-380: CVE-2017-2606
SECURITY-382: CVE-2017-2607
SECURITY-383: CVE-2017-2608
SECURITY-385: CVE-2017-2609
SECURITY-388: CVE-2017-2610
SECURITY-389: CVE-2017-2611
SECURITY-392: CVE-2017-2612
SECURITY-406: CVE-2017-2613

Comment 6 Andreas Stieger 2017-02-01 22:04:55 UTC

public at
http://seclists.org/oss-sec/2017/q1/275
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01

Comment 7 J. Daniel Schmidt 2017-02-03 15:12:39 UTC

Fixed release 2.44 is packaged and published in OBS and IBS and upgraded on ci.suse.de and ci.opensuse.org yesterday.