Jenkins Security Advisory 2014-10-30

This advisory announces a security vulnerability/hardening (CVE-2014-3665) in Jenkins core.

Description

Historically, Jenkins controller and agents behaved as if they altogether form a single distributed process. This means an agent can ask a controller to do just about anything within the confinement of the operating system, such as accessing files on the Jenkins controller or trigger other jobs on Jenkins.

This has increasingly become problematic, as larger enterprise deployments have developed more sophisticated trust separation model, where the administators of a controller might take agents owned by other teams. In such an environment, agents are less trusted than the Jenkins controller. Yet the "single distributed process" assumption was not communicated well to the users, resulting in vulnerabilities in some deployments.

SECURITY-144 (CVE-2014-3665) introduces a new subsystem to address this problem. This feature is off by default for compatibility reasons. See Wiki for more details, who should turn this on, and implications.

Severity

CVE-2014-3665 is rated high. It only affects installations that accept agents from less trusted computers, but this will allow an owner of of such an agent to mount a remote code execution attack on Jenkins.

Affected Versions

The following versions are affected, but only if you connect agents that are managed by less trusted users.

  • All the main line releases < 1.587

  • All the LTS releases < 1.580.1

Fix

  • Main line users should upgrade to 1.587

  • LTS users should upgrade to 1.580.1

Other Resources