This advisory announces multiple vulnerabilities in Jenkins.
SECURITY-304 / CVE-2017-2598
Secrets such as passwords are typically stored on disk and sent to users as part of some pages in encrypted form. These were encrypted using AES-128 ECB without IV, which exposes Jenkins and the stored secrets to unnecessary risks. Jenkins now encrypts secrets using AES-128 CBC with random IV.
SECURITY-321 / CVE-2017-2599
An insufficient permission check allowed users with the permission to create new items (e.g. jobs) to overwrite existing items they don’t have access to. After a Jenkins restart, children of the original item, such as builds, were then accessible in some circumstances.
SECURITY-343 / CVE-2017-2600
Overall/Read permission was sufficient to access node monitor data via the remote API. These included system configuration and runtime information of these nodes.
SECURITY-349 / CVE-2011-4969
The Simile timeline widget used on build history pages bundles an outdated jQuery vulnerable to CVE-2011-4969. We were unable to confirm that Jenkins is vulnerable, but updated the jQuery version bundled with the Simile timeline widget anyway.
SECURITY-353 / CVE-2017-2601
SECURITY-354 / CVE-2015-0886
Jenkins bundled an outdated version of jbcrypt that was affected by CVE-2015-0886.
SECURITY-358 / CVE-2017-2602
The Pipeline suite of plugins stored build metadata in the file
program.dat and the directory
workflow/. These were not excluded in the agent-to-master security subsystem and could therefore be written to by malicious agents.
SECURITY-362 / CVE-2017-2603
Agents that were disconnected by users contained the disconnecting user’s
User object in serialized form in the
config.xml remote API output. This could leak sensitive data such as API tokens.
SECURITY-371 / CVE-2017-2604
Administrative monitors are warnings about the system state shown to Jenkins admins. They sometimes provide actions to e.g. automatically address the reported problem, or disable the warning. These actions were not consistently protected by permission checks, thereby allowing low privilege users to act on them.
All administrative monitors now require the user accessing them to be an administrator.
SECURITY-376 / CVE-2017-1000362
The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards.
Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory
$JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present.
SECURITY-380 / CVE-2017-2606
Jenkins#getItems() included a performance optimization that resulted in all items being returned if the Logged in users can do anything authorization strategy was used, and no access was granted to anonymous users (an option added in Jenkins 2.0). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an
SECURITY-382 / CVE-2017-2607
Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Popular examples include the highlighting of sections by Ant Plugin, or the timestamp metadata from Timestamper. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs.
To prevent this, console notes are now signed by Jenkins when created, and Jenkins will only deserialize correctly signed console notes. As a side effect, console notes created before updating to a release containing this fix will no longer be deserialized. To restore the previous (unsafe) behavior, set the system property
true as described on Features controlled by system properties.
SECURITY-383 / CVE-2017-2608
XStream-based APIs in Jenkins (e.g.
/createItem URLs, or
POST config.xml remote API) were vulnerable to a remote code execution vulnerability involving the deserialization of various types in
In case this extension of the blocklist results in regressions, the blocklist can be customized as described in the Jenkins LTS upgrade guide for Jenkins 2.19.3.
SECURITY-385 / CVE-2017-2609
The autocompletion for the search box provided the names of views the current user does not have access to in its suggestions. These suggestions were removed.
SECURITY-388 / CVE-2017-2610
Jenkins allows the creation of users with less-than and greater-than characters in their names. These user names were not escaped when displaying search suggestions, resulting in a cross-site scripting vulnerability.
SECURITY-389 / CVE-2017-2611
/fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.
SECURITY-392 / CVE-2017-2612
Jenkins allows administrators to enter their username and password to the Oracle download site which provides JDKs for download. Users with read access to Jenkins were able to override these credentials, resulting in future builds possibly failing to download a JDK. A permission check has been added.
SECURITY-406 / CVE-2017-2613
When administrators accessed a URL like
/user/example via HTTP GET, a user with the ID
example was created if it did not exist. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records.
Accessing these URLs now no longer results in a user record getting created, Jenkins will respond with 404 Not Found if no such user exists. When using the internal Jenkins user database, new users can be created via Manage Jenkins » Manage Users. To restore the previous (unsafe) behavior, set the system property
true as described on Features controlled by system properties.
All Jenkins main line releases up to and including 2.43
All Jenkins LTS releases up to and including 2.32.1
Jenkins main line users should update to 2.44
Jenkins LTS users should update to 2.32.2
These versions include fixes to all the vulnerabilities described above. All prior versions are affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:
Ben Walding, CloudBees, Inc. for SECURITY-304
Daniel Beck, CloudBees, Inc. for SECURITY-343, SECURITY-371, SECURITY-385, and SECURITY-392
James Dumay, CloudBees, Inc. for SECURITY-380
Jean Marsault, Wavestone for SECURITY-388 and SECURITY-406
Jesse Glick, CloudBees, Inc. for SECURITY-358 and SECURITY-382
Mayuri Gaikwad and Suhas Gaikwad for SECURITY-353
Moritz Bechler of AgNO3 for SECURITY-383
Robert Picard, Addepar for SECURITY-389
Robert Pitt, Electronic Arts Inc. for SECURITY-362
Steve Marlowe <firstname.lastname@example.org> of Cisco ASIG for SECURITY-376
Taneli Vallo for SECURITY-321