来源:Jenkins官网
发布日期:2020-01-29
阅读次数:1514
评论:0
更新标题
Jenkins Security Advisory 2020-01-29
更新详情
Inbound TCP Agent Protocol/3 authentication bypassSECURITY-1682
/
CVE-2020-2099Jenkins 2.213 and earlier, LTS 2.204.1 and earlier includes support for the Inbound TCP Agent Protocol/3 for communication between master and agents.
While this protocol has been deprecated in 2018 and was recently removed from Jenkins in 2.214, it could still easily be enabled in Jenkins LTS 2.204.1, 2.213, and older.This protocol incorrectly reuses encryption parameters which allow an unauthenticated remote attacker to determine the connection secret.
This secret can then be used to connect attacker-controlled Jenkins agents to the Jenkins master.Jenkins 2.204.2 no longer allows for the use of Inbound TCP Agent Protocol/3 by default.
The system property jenkins.slaves.JnlpSlaveAgentProtocol3.ALLOW_UNSAFE can be set to true to allow enabling the Inbound TCP Agent Protocol/3 in Jenkins 2.204.2, but doing so is strongly discouraged.Inbound TCP Agent Protocol/3 was removed completely from Jenkins 2.214 and will not be part of Jenkins LTS after the end of the 2.204.x line.Jenkins vulnerable to UDP amplification reflection attackSECURITY-1641
/
CVE-2020-2100Jenkins 2.218 and earlier, LTS 2.204.1 and earlier supports two network discovery services (UDP multicast/broadcast and DNS multicast) by default.The UDP multicast/broadcast service can be used in an amplification reflection attack, as very few bytes sent to the respective endpoint result in much larger responses:
A single byte request to this service would respond with more than 100 bytes of Jenkins metadata which could be used in a DDoS attack on a Jenkins master.
Within the same network, spoofed UDP packets could also be sent to make two Jenkins masters go into an infinite loop of replies to one another, thus causing a denial of service.Jenkins 2.219, LTS 2.204.2 now disables both UDP multicast/broadcast and DNS multicast by default.Administrators that need these features can re-enable them again by setting the system property hudson.DNSMultiCast.disabled to false (for DNS multicast) or the system property hudson.udp to 33848, or another port (for UDP broadcast/multicast).
These are the same system properties that controlled whether these features were enabled in the past, so any instances explicitly enabling these features by setting these system properties will continue to have them enabled.Non-constant time comparison of inbound TCP agent connection secretSECURITY-1659
/
CVE-2020-2101Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time comparison validating the connection secret when an inbound TCP agent connection is initiated.
This could potentially allow attackers to use statistical methods to obtain the connection secret.Jenkins 2.219, LTS 2.204.2 now uses a constant-time comparison function for verifying connection secrets.Non-constant time HMAC comparisonSECURITY-1660
/
CVE-2020-2102Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time comparison when checking whether two HMACs are equal.
This could potentially allow attackers to use statistical methods to obtain a valid HMAC for an attacker-controlled input value.Jenkins 2.219, LTS 2.204.2 now uses a constant-time comparison when validating HMACs.Diagnostic page exposed session cookiesSECURITY-1695
/
CVE-2020-2103Jenkins shows various technical details about the current user on the /whoAmI page.
In a previous fix, the Cookie header value containing the HTTP session ID was redacted.
However, user metadata shown on this page could also include the HTTP session ID in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier.This allows attackers able to exploit a cross-site scripting vulnerability to obtain the HTTP session ID value from this page.Jenkins 2.219, LTS 2.204.2 no longer prints out the affected user metadata that might contain the HTTP session ID.Additionally, we also redact values of further authentication-related HTTP headers in addition to Cookie on this page as a hardening.Memory usage graphs accessible to anyone with Overall/ReadSECURITY-1650
/
CVE-2020-2104Jenkins includes a feature that shows a JVM memory usage chart for the Jenkins master.Access to the chart in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier requires no permissions beyond the general Overall/Read, allowing users who are not administrators to view JVM memory usage data.Jenkins 2.219, LTS 2.204.2 now requires Overall/Administer permissions to view the JVM memory usage chart.Jenkins REST APIs vulnerable to clickjackingSECURITY-1704
/
CVE-2020-2105Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not serve the X-Frame-Options: deny HTTP header on REST API responses to protect against clickjacking attacks.
An attacker could exploit this by routing the victim through a specially crafted web page that embeds a REST API endpoint in an iframe and tricking the user into performing an action which would allow for the attacker to learn the content of that REST API endpoint.Jenkins 2.219, LTS 2.204.2 now adds the X-Frame-Options: deny HTTP header to REST API responses, which prevents these types of clickjacking attacks.Stored XSS vulnerability in Code Coverage API PluginSECURITY-1680
/
CVE-2020-2106Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view.This results in a stored cross-site scripting vulnerability that can be exploited by users able to change the job configuration.Code Coverage API Plugin 1.1.3 escapes the filename of the coverage report used in its view.Fortify Plugin stored credentials in plain textSECURITY-1565
/
CVE-2020-2107Fortify Plugin 19.1.29 and earlier stored its proxy server password unencrypted in job config.xml files.
This password could be read by users with the Extended Read permission.Fortify Plugin 19.2.30 now encrypts the proxy server password.XXE vulnerability in WebSphere Deployer PluginSECURITY-1719
/
CVE-2020-2108WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.
This could be exploited by a user with Job/Configure permissions to upload a specially crafted war file containing a WEB-INF/ibm-web-ext.xml which is parsed by the plugin.As of publication of this advisory, there is no fix.SeveritySECURITY-1565:MediumSECURITY-1641:MediumSECURITY-1650:MediumSECURITY-1659:MediumSECURITY-1660:MediumSECURITY-1680:MediumSECURITY-1682:HighSECURITY-1695:MediumSECURITY-1704:LowSECURITY-1719:HighAffected VersionsJenkins weekly up to and including
2.218Jenkins LTS up to and including
LTS 2.204.1Code Coverage API
Pluginup to and including
1.1.2Fortify
Pluginup to and including
19.1.29WebSphere Deployer
Pluginup to and including
1.6.1FixJenkins weekly should be updated to version
2.219Jenkins LTS should be updated to version
LTS 2.204.2Code Coverage API
Pluginshould be updated to version
1.1.3Fortify
Pluginshould be updated to version
19.2.30These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.As of publication of this advisory, no fixes are available for the following plugins:WebSphere Deployer
Plugin
软件描述
Jenkins是一个开源软件项目,是基于Java开发的一种持续集成工具,用于监控持续重复的工作,旨在提供一个开放易用的软件平台,使软件的持续集成变成可能。 [1]
评论