Jenkins Security Advisory 2017-09-27

This advisory announces a vulnerability in Jenkins.

Updated 2017-09-28: Clarified which options are disabled by default. Clarified that it affects only instances that originally installed 2.80.

Description

Unprotected startup

JENKINS-47139

Jenkins 2.80 did not correctly initialize the setup wizard on the first startup. This resulted in the following security settings not being set to the usual strict default:

  • No security realm was defined, and no admin user was created whose password was written to the Jenkins log or the initialAdminPassword file.

  • The authorization strategy remained Anyone can do anything rather than Logged-in users can do anything.

  • TCP port for JNLP agents, usually disabled by default, was open, unless a Java system property controlling it was set.

  • CLI over Remoting was enabled.

  • CSRF Protection was disabled.

  • Agent → Master Access Control was disabled.

Affected instances need to be configured to restrict access.

Jenkins instances upgraded from 2.79 or earlier to 2.80 without completing the setup wizard will no longer show the setup wizard, but are locked and need the initial administrator password to unlock.

Severity

  • JENKINS-47139: high

Affected versions

  • Jenkins 2.80 only

  • Jenkins LTS releases are unaffected

Fix

  • Users who originally installed Jenkins 2.80 should review all the options of the Configure Global Security dialog.

  • Users should choose Jenkins 2.81, which contains a fix for this issue, for new installations of Jenkins (weekly line).