Jenkins Security Advisory 2021-11-04

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control

SECURITY-2455 / CVE-2021-21685, CVE-2021-21686, CVE-2021-21687, CVE-2021-21688, CVE-2021-21689, CVE-2021-21690, CVE-2021-21691, CVE-2021-21692, CVE-2021-21693, CVE-2021-21694, CVE-2021-21695
Severity (CVSS): Critical
Description:

The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes.

Multiple vulnerabilities in the file path filtering implementation of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allow agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.

  • SECURITY-2427 / CVE-2021-21685: FilePath#mkdirs does not check permission to create parent directories.

  • SECURITY-2444 / CVE-2021-21686: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories.

  • SECURITY-2446 / CVE-2021-21687: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link.

  • SECURITY-2484 / CVE-2021-21688: FilePath#reading(FileVisitor) does not reject any operations, allowing users to have unrestricted read access using certain operations (creating archives, #copyRecursiveTo).

  • SECURITY-2485 / CVE-2021-21689: FilePath#unzip and FilePath#untar were not subject to any access control.

  • SECURITY-2486 / CVE-2021-21690: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path.

  • SECURITY-2531 / CVE-2021-21691: Creating symbolic links is possible without the symlink permission.

  • SECURITY-2538 / CVE-2021-21692: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path.

  • SECURITY-2539 / CVE-2021-21693: When creating temporary files, permission to create files is only checked after they’ve been created.

  • SECURITY-2541 / CVE-2021-21694: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions.

  • SECURITY-2542 / CVE-2021-21695: FilePath#listFiles lists files outside directories with agent read access when following symbolic links.

We expect that most of these vulnerabilities have been present since SECURITY-144 was addressed in the 2014-10-30 security advisory.

Jenkins 2.319, LTS 2.303.3 addresses these security vulnerabilities.

  • SECURITY-2427 / CVE-2021-21685: FilePath#mkdirs checks permission to create parent directories.

  • SECURITY-2444 / CVE-2021-21686: File path filters canonicalize paths, preventing operations from following symbolic links to outside allowed directories.

  • SECURITY-2446 / CVE-2021-21687: FilePath#untar checks permission to create symbolic links when unarchiving a symbolic link.

  • SECURITY-2484 / CVE-2021-21688: FilePath#reading(FileVisitor) correctly rejects operations if they operate on files outside allowed directories.

  • SECURITY-2485 / CVE-2021-21689: FilePath#unzip and FilePath#untar are now subject to access control.

  • SECURITY-2486 / CVE-2021-21690: Agent processes are no longer able to completely bypass file path filtering by wrapping the file operation in an agent file path.

  • SECURITY-2531 / CVE-2021-21691: Creating symbolic links now correctly checks the symlink permission.

  • SECURITY-2538 / CVE-2021-21692: The operations FilePath#renameTo and FilePath#moveAllChildrenTo check both read and delete permissions on the source path.

  • SECURITY-2539 / CVE-2021-21693: When creating temporary files, permission to create files is checked before they are created based on an artificial path.

  • SECURITY-2541 / CVE-2021-21694: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant check stat permission. FilePath#get*DiskSpace methods are no longer allowed to be executed by an agent.

  • SECURITY-2542 / CVE-2021-21695: FilePath#listFiles checks stat permission on files it returns, preventing listing files outside allowed directories.

As some common operations are now newly subject to access control, it is expected that plugins sending commands from agents to the controller may start failing. Additionally, the newly introduced path canonicalization means that instances using a custom builds directory (Java system property jenkins.model.Jenkins.buildsDir) or partitioning JENKINS_HOME using symbolic links may fail access control checks. See the documentation for how to customize the configuration in case of problems.
If you are unable to immediately upgrade to Jenkins 2.319, LTS 2.303.3, you can install the Remoting Security Workaround Plugin. It will prevent all agent-to-controller file access using FilePath APIs. Because it is more restrictive than Jenkins 2.319, LTS 2.303.3, more plugins are incompatible with it. Make sure to read the plugin documentation before installing it.

Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin

SECURITY-2423 / CVE-2021-21696
Severity (CVSS): High
Description:

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs. This directory is used by the Pipeline: Shared Groovy Libraries Plugin to store copies of shared libraries.

This allows attackers in control of agent processes to replace the code of a trusted library with a modified variant, resulting in unsandboxed code execution in the Jenkins controller process.

Jenkins 2.319, LTS 2.303.3 prohibits agent read/write access to the libs/ directory inside build directories.

If you are unable to immediately upgrade to Jenkins 2.319, LTS 2.303.3, you can install the Remoting Security Workaround Plugin. It will prevent all agent-to-controller file access using FilePath APIs. Because it is more restrictive than Jenkins 2.319, LTS 2.303.3, more plugins are incompatible with it. Make sure to read the plugin documentation before installing it.
It is not easily possible to customize the file access rules to prohibit access to the libs/ directory specifically, as built-in rules (granting access to <BUILDDIR> contents) would take precedence over a custom rule prohibiting access.

Agent-to-controller access control allows reading/writing most content of build directories

SECURITY-2428 / CVE-2021-21697
Severity (CVSS): High
Description:

Agents are allowed some limited access to files on the Jenkins controller file system. The directories agents are allowed to access in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier include the directories storing build-related information, intended to allow agents to store build-related metadata during build execution. As a consequence, this allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions (build.xml and some Pipeline-related metadata).

Jenkins 2.319, LTS 2.303.3 prevents agents from accessing contents of build directories unless it’s for builds currently running on the agent attempting to access the directory.

Update Pipeline: Nodes and Processes to version 2.40 or newer for Jenkins to associate Pipeline node blocks with the agent they’re running on for this fix.
If you are unable to immediately upgrade to Jenkins 2.319, LTS 2.303.3, you can install the Remoting Security Workaround Plugin. It will prevent all agent-to-controller file access using FilePath APIs. Because it is more restrictive than Jenkins 2.319, LTS 2.303.3, more plugins are incompatible with it. Make sure to read the plugin documentation before installing it.

Path traversal vulnerability in Subversion Plugin allows reading arbitrary files

SECURITY-2506 / CVE-2021-21698
Severity (CVSS): Medium
Affected plugin: subversion
Description:

Subversion Plugin 2.15.0 and earlier does not restrict the name of a file when looking up a subversion key file on the controller from an agent.

This allows attackers able to control agent processes to read arbitrary files on the Jenkins controller file system.

Subversion Plugin 2.15.1 checks for the presence of and prohibits directory separator characters as part of the file name, restricting it to the intended directory.

Severity

Affected Versions

  • Jenkins weekly up to and including 2.318
  • Jenkins LTS up to and including 2.303.2
  • Subversion Plugin up to and including 2.15.0

Fix

  • Jenkins weekly should be updated to version 2.319
  • Jenkins LTS should be updated to version 2.303.3
  • Subversion Plugin should be updated to version 2.15.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Daniel Beck, CloudBees, Inc. for SECURITY-2423, SECURITY-2428, SECURITY-2455, SECURITY-2506