Headline
CVE-2019-1003029: Jenkins Security Advisory 2019-03-06
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.
This advisory announces vulnerabilities in the following Jenkins deliverables:
- AppDynamics Dashboard Plugin
- Azure VM Agents Plugin
- Bitbar Run-in-Cloud Plugin
- Email Extension Plugin
- Groovy Plugin
- Job DSL Plugin
- Matrix Project Plugin
- OSF Builder Suite For Salesforce Commerce Cloud :: Deploy Plugin
- Pipeline: Groovy Plugin
- Rabbit-MQ Publisher Plugin
- Repository Connector Plugin
- Script Security Plugin
Descriptions****Sandbox bypass in Script Security Plugin
SECURITY-1336 (1) / CVE-2019-1003029
Script Security sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script.
Script Security Plugin is now newly applying sandbox protection during these phases.
This affected both script execution (typically invoked from other plugins) as well as an HTTP endpoint providing script validation and allowed users with Overall/Read permission to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.
The API GroovySandbox#run(Script, Whitelist)
has been deprecated and now emits a warning to the system log about potential security problems. GroovySandbox#run(GroovyShell, String, Whitelist)
replaces it. GroovySandbox#checkScriptForCompilationErrors(String, GroovyClassLoader)
has been added as a safer method to implement script validation.
Sandbox bypass in Pipeline: Groovy Plugin
SECURITY-1336 (2) / CVE-2019-1003030
Pipeline: Groovy sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script.
This allowed users able to control the contents of a pipeline to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.
Pipeline: Groovy Plugin now uses Script Security APIs that apply sandbox protection during these phases.
Script security sandbox bypass in Matrix Project Plugin
SECURITY-1339 / CVE-2019-1003031
Matrix Project Plugin supports a sandboxed Groovy expression to filter matrix combinations. Its sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script.
This allowed users able to configure a Matrix project to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.
Matrix Project Plugin now uses Script Security APIs that apply sandbox protection during these phases.
Script security sandbox bypass in Email Extension Plugin
SECURITY-1340 / CVE-2019-1003032
Email Extension Plugin supports sandboxed Groovy expressions for multiple features. Its sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script.
This allowed users able to control the plugin’s job-specific configuration to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.
Email Extension Plugin now uses Script Security APIs that apply sandbox protection during these phases.
Script security sandbox bypass in Groovy Plugin
SECURITY-1338 / CVE-2019-1003033
Groovy Plugin supports sandboxed Groovy expressions for its “System Groovy” functionality. Its sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script.
This affected both System Groovy script execution as well as an HTTP endpoint providing script validation, and allowed users with Overall/Read permission to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.
Groovy Plugin now uses Script Security APIs that apply sandbox protection during these phases.
Script security sandbox bypass in Job DSL Plugin
SECURITY-1342 / CVE-2019-1003034
Job DSL Plugin supports sandboxed Groovy expressions for Job DSL definitions. Its sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script.
This allowed users able to control the Job DSL scripts to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.
Job DSL Plugin now uses Script Security APIs that apply sandbox protection during these phases.
Information disclosure in Azure VM Agents Plugin
SECURITY-1330 / CVE-2019-1003035
A missing permission check in a form validation method in Azure VM Agents Plugin allowed users with Overall/Read access to verify a submitted configuration, obtaining limited information about the Azure account and configuration.
Additionally, this form validation method did not require POST requests, resulting in a potential CSRF vulnerability.
This form validation method now requires POST requests and Overall/Administer permissions.
Missing permission check in Azure VM Agents Plugin allowed modifying VM configuration
SECURITY-1331 / CVE-2019-1003036
A missing permission check in an HTTP endpoint allowed users with Overall/Read access to attach a public IP address to an Azure VM in Azure VM Agents Plugin, making a virtual machine publicly accessible.
Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability with more limited impact, as the IP address would not be known.
This form validation method now requires POST requests and Overall/Administer permissions.
Unprivileged users with Overall/Read access are able to enumerate credential IDs in Azure VM Agents Plugin
SECURITY-1332 / CVE-2019-1003037
Azure VM Agents Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use.
This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.
An enumeration of credentials IDs in this plugin now requires Overall/Administer permission.
Repository Connector Plugin stored password in plain text
SECURITY-958 / CVE-2019-1003038
Repository Connector Plugin stored the username and password in its configuration unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system.
The plugin now stores the password encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.
AppDynamics Dashboard Plugin stored password in plain text
SECURITY-1087 / CVE-2019-1003039
AppDynamics Dashboard Plugin stored username and password in its configuration unencrypted in jobs’ config.xml
files on the Jenkins controller. This password could be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
While masked from view using a password form field, the password was transferred in plain text to users when accessing the job configuration form.
AppDynamics Dashboard Plugin now stores the password encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text. Existing jobs need to have their configuration saved for existing plain text passwords to be overwritten.
Rabbit-MQ Publisher Plugin stored password in plain text
SECURITY-848
Rabbit-MQ Publisher Plugin stored the username and password in its configuration unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system.
The plugin now stores the password encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.
Missing permission check allowed connecting to RabbitMQ in Rabbit-MQ Publisher Plugin
SECURITY-970
A missing permission check in a form validation method of Rabbit-MQ Publisher Plugin allowed users with Overall/Read access to have Jenkins initiate a RabbitMQ connection to an attacker-specified host and port with an attacker-specified username and password.
Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.
This form validation method now requires POST requests and Overall/Administer permissions.
OSF Builder Suite For Salesforce Commerce Cloud :: Deploy Plugin stored password in plain text
SECURITY-1038
OSF Builder Suite For Salesforce Commerce Cloud : : Deploy Plugin stored the HTTP proxy username and password in its configuration unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system.
The plugin now integrates with Credentials Plugin to store the HTTP proxy credentials.
SSRF and data modification vulnerability due to missing permission check in Bitbar Run-in-Cloud
SECURITY-1088
A missing permission check in a method performing both form validation and saving new configuration in Bitbar Run-in-Cloud Plugin allowed users with Overall/Read permission to have Jenkins connect to an attacker-specified host with attacker-specified credentials, and, if successful, save that as the new configuration for the plugin. This could then potentially result in future builds submitting their data to an unauthorized remote server.
Additionally, this method did not require POST requests, resulting in a CSRF vulnerability.
This form validation method now requires POST requests and Overall/Administer permissions.
Severity
- SECURITY-848: Low
- SECURITY-958: Low
- SECURITY-970: Medium
- SECURITY-1038: Low
- SECURITY-1087: Medium
- SECURITY-1088: Medium
- SECURITY-1330: Medium
- SECURITY-1331: Medium
- SECURITY-1332: Medium
- SECURITY-1336 (1): High
- SECURITY-1336 (2): High
- SECURITY-1338: High
- SECURITY-1339: High
- SECURITY-1340: High
- SECURITY-1342: High
Affected Versions
- AppDynamics Dashboard Plugin up to and including 1.0.14
- Azure VM Agents Plugin up to and including 0.8.0
- Bitbar Run-in-Cloud Plugin up to and including 2.69.1
- Email Extension Plugin up to and including 2.64
- Groovy Plugin up to and including 2.1
- Job DSL Plugin up to and including 1.71
- Matrix Project Plugin up to and including 1.13
- OSF Builder Suite For Salesforce Commerce Cloud :: Deploy Plugin up to and including 1.0.10
- Pipeline: Groovy Plugin up to and including 2.63
- Rabbit-MQ Publisher Plugin up to and including 1.0
- Repository Connector Plugin up to and including 1.2.4
- Script Security Plugin up to and including 1.53
Fix
- AppDynamics Dashboard Plugin should be updated to version 1.0.15
- Azure VM Agents Plugin should be updated to version 0.8.1
- Bitbar Run-in-Cloud Plugin should be updated to version 2.70.0
- Email Extension Plugin should be updated to version 2.65
- Groovy Plugin should be updated to version 2.2
- Job DSL Plugin should be updated to version 1.72
- Matrix Project Plugin should be updated to version 1.14
- OSF Builder Suite For Salesforce Commerce Cloud :: Deploy Plugin should be updated to version 1.0.11
- Pipeline: Groovy Plugin should be updated to version 2.64
- Rabbit-MQ Publisher Plugin should be updated to version 1.2.0
- Repository Connector Plugin should be updated to version 1.2.5
- Script Security Plugin should be updated to version 1.54
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
Credit
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:
- Daniel Beck, CloudBees, Inc. for SECURITY-970, SECURITY-1332
- Georgy Noseevich (@webpentest), SolidLab for SECURITY-1336 (1), SECURITY-1336 (2)
- Oleg Nenashev, CloudBees, Inc. for SECURITY-1330, SECURITY-1331
- Viktor Gazdag for SECURITY-848, SECURITY-958, SECURITY-1038, SECURITY-1087, SECURITY-1088