Jenkins Security Advisory 2017-03-20

This advisory announces vulnerabilities in these Jenkins plugins:

Description

SSH Build Agents Plugin did not verify host keys

SECURITY-161 / CVE-2017-2648

The SSH Build Agents Plugin did not perform host key verification, thereby enabling Man-in-the-Middle attacks.

Active Directory Plugin did not verify certificate of AD server

SECURITY-251 / CVE-2017-2649

The Active Directory Plugin did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks.

Pipeline: Classpath Step plugin allowed Script Security sandbox bypass

SECURITY-336 / CVE-2017-2650

Use of this plugin enables a bypass of the Script Security sandbox for users with SCM commit access, as well as users with e.g. Job/Configure permission in Jenkins.

Emails were sent to addresses not associated with actual users of Jenkins by Mailer Plugin and Email Extension Plugin

SECURITY-372 / CVE-2017-2651 (Mailer) and CVE-2017-2654 (Email Extension)

The Mailer and Email Extension Plugins are able to send emails to a dynamically created list of users based on the changelogs, like "authors of SCM changes since the last successful build".

This could in some cases result in emails being sent to people who have no user account in Jenkins, and in rare cases even people who were not involved in whatever project was being built, due to some mapping based on the local-part of email addresses.

Missing permission checks in Distributed Fork Plugin

SECURITY-386 / CVE-2017-2652

There were no permission checks performed in the Distributed Fork plugin that provides the dist-fork CLI command beyond the basic check for Overall/Read permission, allowing anyone with that permission to run arbitrary shell commands on all connected nodes.

Severity

SECURITY-161: medium
SECURITY-251: high
SECURITY-336: critical
SECURITY-372: low
SECURITY-386: critical

Affected versions

Active Directory Plugin up to and including version 2.2.
DistFork Plugin up to and including version 1.5.0.
Email Extension (email-ext) Plugin up to and including version 2.57.
Mailer Plugin up to and including version 1.19.
Pipeline: Classpath Step Plugin: All versions. No fix for this plugin is currently planned.
SSH Build Agents Plugin up to and including version 1.14.

Fix

Active Directory Plugin should be updated to version 2.3.
DistFork Plugin should be updated to version 1.6.0.
Email Extension (email-ext) Plugin should be updated to version 2.57.1.
Mailer Plugin should be updated to version 1.20.
SSH Build Agents Plugin should be updated to version 1.15.
Pipeline: Classpath Step Plugin should be disabled or uninstalled, and its uses replaced by the Pipeline libraries feature. No fix for this plugin is currently planned.

These versions include fixes to the vulnerabilities described above. All prior versions are affected by these vulnerabilities unless otherwise noted.

Credit

The Jenkins project would like to thank the following people for discovering and reporting these vulnerabilities:

Tim Otten, CiviCRM LLC for SECURITY-161
Steven Christou, CloudBees, Inc. for SECURITY-251
Jesse Glick, CloudBees, Inc. for SECURITY-336
Caleb Tennis, CloudBees, Inc. for SECURITY-372
James Nord, CloudBees, Inc. for SECURITY-386