Jenkins Security Advisory 2019-05-21

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Missing permission check allowed obtaining limited information about system configuration in PAM Authentication Plugin

SECURITY-1316 / CVE-2019-10319

A missing permission check in PAM Authentication Plugin allowed users with Overall/Read permission to invoke a form validation method to obtain limited information about the file /etc/shadow on systems with that file present, as well as the system user the Jenkins process is running as.

Depending on configuration, one of the following messages could be obtained by an attacker:

  • "Jenkins needs to be able to read /etc/shadow"

  • "(1) needs to belong to group (2) to read /etc/shadow"

  • "Either Jenkins needs to run as (3) or (1) needs to belong to group (2) and 'chmod g+r /etc/shadow' needs to be done to enable Jenkins to read /etc/shadow"

  • "Success"

The numeric placeholders in the messages above would be populated with the following values:

  1. The system user that the Jenkins controller process is running as (usually jenkins)

  2. The group owning /etc/shadow

  3. The user owning /etc/shadow

This form validation method now requires Overall/Administer permission.

Certificate file read vulnerability in Credentials Plugin

SECURITY-1322 / CVE-2019-10320

Credentials Plugin allowed the creation of Certificate credentials from a PKCS#12 file on the Jenkins controller. Users with permission to create or update credentials could use the associated form validation to confirm the existence of files with an attacker-specified path.

Additionally, they could create credentials from any valid PKCS#12 file on the Jenkins controller. With the ability to configure jobs to access these credentials, they could obtain the certificate content.

Credentials Plugin no longer supports Certificate credentials from PKCS#12 files on the Jenkins controller file system. Existing Certificate credentials of this kind are automatically migrated to directly entered Certificate credentials during Jenkins startup.

Due to technical limitations, these migrated credentials are not immediately persisted. In rare situations a non-administrator user might access a credential migrated this way and encounter a permission error. The solution is to save affected credentials manually, either individually through the UI or with the following script for the Script Console:

com.cloudbees.plugins.credentials.CredentialsProvider.saveAll()

This operation may impact performance.

In almost all cases the automatic migration will work and these additional steps will be unnecessary.

Severity

Affected Versions

  • Credentials Plugin up to and including 2.1.18
  • PAM Authentication Plugin up to and including 1.5

Fix

  • Credentials Plugin should be updated to version 2.1.19
  • PAM Authentication Plugin should be updated to version 1.5.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Daniel Beck, CloudBees, Inc. for SECURITY-1316
  • Yakov Shafranovich and Pankaj Upadhyay; T. Rowe Price Associates, Inc. for SECURITY-1322