Jenkins Security Advisory 2016-02-24

This advisory announces multiple vulnerabilities in Jenkins.

Description

Remote code execution vulnerability in remoting module

SECURITY-232 / CVE-2016-0788

A vulnerability in the Jenkins remoting module allowed unauthenticated remote attackers to open a JRMP listener on the server hosting the Jenkins controller process, which allowed arbitrary code execution.

HTTP response splitting vulnerability

SECURITY-238 / CVE-2016-0789

An HTTP response splitting vulnerability in the CLI command documentation allowed attackers to craft Jenkins URLs that serve malicious content.

Non-constant time comparison of API token

SECURITY-241 / CVE-2016-0790

The verification of user-provided API tokens with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid API tokens using brute-force methods.

Non-constant time comparison of CSRF crumbs

SECURITY-245 / CVE-2016-0791

The verification of user-provided CSRF crumbs with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid CSRF crumbs using brute-force methods.

Remote code execution through remote API

SECURITY-247 / CVE-2016-0792

Jenkins has several API endpoints that allow low-privilege users to POST XML files that then get deserialized by Jenkins. Maliciously crafted XML files sent to these API endpoints could result in arbitrary code execution.

Severity

  • SECURITY-232 is considered critical as it allows unprivileged attackers to execute arbitrary code in many configurations.

  • SECURITY-238 is considered medium as it allows unprivileged attackers to send maliciously crafted links that result e.g. in XSS to victims.

  • SECURITY-241 is considered high as it allows unprivileged attackers to brute-force valid login credentials.

  • SECURITY-245 is considered medium as it allows unprivileged attackers to brute-force CSRF protection.

  • SECURITY-247 is considered high as it allows low-privilege attackers to execute arbitrary code on the Jenkins controller.

Affected versions

  • All Jenkins main line releases up to and including 1.649

  • All Jenkins LTS releases up to and including 1.642.1

Fix

  • Jenkins main line users should update to 1.650

  • Jenkins LTS users should update to 1.642.2

These versions include fixes to all the vulnerabilities described above. All prior versions are affected by these vulnerabilities.

Credit

The Jenkins project would like to thank the following people for discovering and reporting these vulnerabilities:

  • Moritz Bechler for SECURITY-232

  • Seung-Hyun Cho for SECURITY-238

  • Steve Marlowe <smarlowe@cisco.com> of Cisco ASIG for SECURITY-241

  • James Nord, CloudBees, Inc. for SECURITY-245

  • Arshan Dabirsiaghi, Contrast Security for SECURITY-247