Jenkins Vulnerability Scan

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Jenkins Vulnerability Scan

Eric Fetzer
We're getting gigged on a security scan that looking at Jenkins documentation, should not be happening.  The scan is turning up:


Vulnerability

Host

IP

Port

201701

201702

201703

201704

201705

201706

201707

Jenkins JDK / Ant Tools Job Configuration Stored XSS Vulnerability (SECURITY-624)

<redacted>

<redacted>

TCP:8080

NO

NO

NO

NO

NO

NO

NO



In the documentation, I see 2 places where this could be turning up.  Ant plugin prior to 1.8, and Jenkins version prior to 2.93.  Our Jenkins version is 2.107.1 and we just upgraded our Ant plugin to 1.8.  Anyone have an idea what's getting us here?

Thanks,
Eric

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/7b99d896-52f0-4879-b863-45ce3492a651%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins Vulnerability Scan

Eric Fetzer
No one has any ideas about this at all?



On Friday, April 13, 2018 at 12:21:36 PM UTC-6, Eric Fetzer wrote:
We're getting gigged on a security scan that looking at Jenkins documentation, should not be happening.  The scan is turning up:


Vulnerability

Host

IP

Port

201701

201702

201703

201704

201705

201706

201707

Jenkins JDK / Ant Tools Job Configuration Stored XSS Vulnerability (SECURITY-624)

<redacted>

<redacted>

TCP:8080

NO

NO

NO

NO

NO

NO

NO



In the documentation, I see 2 places where this could be turning up.  Ant plugin prior to 1.8, and Jenkins version prior to 2.93.  Our Jenkins version is 2.107.1 and we just upgraded our Ant plugin to 1.8.  Anyone have an idea what's getting us here?

Thanks,
Eric

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/58bf582a-a106-4f95-966a-07642c16e11c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins Vulnerability Scan

Mark Waite-2
Your mail doesn't tell us what security vulnerability is believed to exist.

Can you explain further what the report means and what you believe should be done?

Mark Waite

On Tue, Apr 17, 2018, 9:02 AM Eric Fetzer <[hidden email]> wrote:
No one has any ideas about this at all?



On Friday, April 13, 2018 at 12:21:36 PM UTC-6, Eric Fetzer wrote:
We're getting gigged on a security scan that looking at Jenkins documentation, should not be happening.  The scan is turning up:


Vulnerability

Host

IP

Port

201701

201702

201703

201704

201705

201706

201707

Jenkins JDK / Ant Tools Job Configuration Stored XSS Vulnerability (SECURITY-624)

<redacted>

<redacted>

TCP:8080

NO

NO

NO

NO

NO

NO

NO



In the documentation, I see 2 places where this could be turning up.  Ant plugin prior to 1.8, and Jenkins version prior to 2.93.  Our Jenkins version is 2.107.1 and we just upgraded our Ant plugin to 1.8.  Anyone have an idea what's getting us here?

Thanks,
Eric

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/58bf582a-a106-4f95-966a-07642c16e11c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtH_8yxLHf2umcysCn1Wn7N248jMSyDXa-ybz%3D0fA6fBaw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins Vulnerability Scan

Eric Fetzer
Sorry Mark, not sure if you see "SECURITY-624" in the Table I posted.  Here's the Jenkins Security Advisory:


But then the Jenkins change log shows that with version 2.107, this was addressed (more than just a work around):  https://jenkins.io/changelog/.  We are at 2.107.1, but the scan is still tagging us on this issue.

Thanks,
Eric

On Tue, Apr 17, 2018 at 2:36 PM, Mark Waite <[hidden email]> wrote:
Your mail doesn't tell us what security vulnerability is believed to exist.

Can you explain further what the report means and what you believe should be done?

Mark Waite

On Tue, Apr 17, 2018, 9:02 AM Eric Fetzer <[hidden email]> wrote:
No one has any ideas about this at all?



On Friday, April 13, 2018 at 12:21:36 PM UTC-6, Eric Fetzer wrote:
We're getting gigged on a security scan that looking at Jenkins documentation, should not be happening.  The scan is turning up:


Vulnerability

Host

IP

Port

201701

201702

201703

201704

201705

201706

201707

Jenkins JDK / Ant Tools Job Configuration Stored XSS Vulnerability (SECURITY-624)

<redacted>

<redacted>

TCP:8080

NO

NO

NO

NO

NO

NO

NO



In the documentation, I see 2 places where this could be turning up.  Ant plugin prior to 1.8, and Jenkins version prior to 2.93.  Our Jenkins version is 2.107.1 and we just upgraded our Ant plugin to 1.8.  Anyone have an idea what's getting us here?

Thanks,
Eric

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/58bf582a-a106-4f95-966a-07642c16e11c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/fKY3_xmAPkk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtH_8yxLHf2umcysCn1Wn7N248jMSyDXa-ybz%3D0fA6fBaw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAByBicY5ssbsUW9QVUiKsRuqRKvc0LT8UapxRghJDo-5TOx%2B-Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins Vulnerability Scan

Mark Waite-2


On Wed, Apr 18, 2018 at 7:26 AM Eric Fetzer <[hidden email]> wrote:
Sorry Mark, not sure if you see "SECURITY-624" in the Table I posted.  Here's the Jenkins Security Advisory:


But then the Jenkins change log shows that with version 2.107, this was addressed (more than just a work around):  https://jenkins.io/changelog/.  We are at 2.107.1, but the scan is still tagging us on this issue.


As far as I can tell, SECURITY-624 reported an XSS vulnerability in the Ant plugin (and incorrectly reported an XSS vulnerability in Jenkins core).

The 2017-12-05 advisory reported that it was unresolved and provided a workaround.

The 2018-01-22 advisory notes that the problem was specific to Ant plugin versions 1.7 and prior and is fixed in Ant plugin 1.8.  That advisory lists other plugins and their versions, though does not mention if any of those plugins are affected by the XSS vulnerability.

The 2.89.4 LTS changelog reports that changes were made in core to reduce the risk of problems like SECURITY-624.

The 2.107 (weekly) changelog reports the same changes that were made in 2.89.4 LTS to reduce the risk of SECURITY-624 problems.

I assume that it is not enough to upgrade Jenkins core to those versions.  The Ant plugin needs to be upgraded to at least 1.8.  Likewise, I would assume that the other plugins mentioned in the 2018-01-22 advisory need to be upgraded to at least those versions.

Are you running new enough versions of the plugins listed in those advisories?

Mark Waite

 
Thanks,
Eric

On Tue, Apr 17, 2018 at 2:36 PM, Mark Waite <[hidden email]> wrote:
Your mail doesn't tell us what security vulnerability is believed to exist.

Can you explain further what the report means and what you believe should be done?

Mark Waite

On Tue, Apr 17, 2018, 9:02 AM Eric Fetzer <[hidden email]> wrote:
No one has any ideas about this at all?



On Friday, April 13, 2018 at 12:21:36 PM UTC-6, Eric Fetzer wrote:
We're getting gigged on a security scan that looking at Jenkins documentation, should not be happening.  The scan is turning up:


Vulnerability

Host

IP

Port

201701

201702

201703

201704

201705

201706

201707

Jenkins JDK / Ant Tools Job Configuration Stored XSS Vulnerability (SECURITY-624)

<redacted>

<redacted>

TCP:8080

NO

NO

NO

NO

NO

NO

NO



In the documentation, I see 2 places where this could be turning up.  Ant plugin prior to 1.8, and Jenkins version prior to 2.93.  Our Jenkins version is 2.107.1 and we just upgraded our Ant plugin to 1.8.  Anyone have an idea what's getting us here?

Thanks,
Eric

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/58bf582a-a106-4f95-966a-07642c16e11c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/fKY3_xmAPkk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtH_8yxLHf2umcysCn1Wn7N248jMSyDXa-ybz%3D0fA6fBaw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAByBicY5ssbsUW9QVUiKsRuqRKvc0LT8UapxRghJDo-5TOx%2B-Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtFe-inPxiSuoO%3DtHR7-usBQb96%2B-qYHbKr61_RQ01QSzA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins Vulnerability Scan

Daniel Beck

> On 18. Apr 2018, at 16:33, Mark Waite <[hidden email]> wrote:
>
> Likewise, I would assume that the other plugins mentioned in the 2018-01-22 advisory need to be upgraded to at least those versions.

Just a quirk of our advisory format. Unless another plugin is specifically mentioned as affected by this, it is not believed to be.

Regarding whether the core update is sufficient, I'm not sure off hand. It could be.

That said, unless you have a strictly locked down Jenkins instance, admins can already XSS other users, so this isn't an issue relevant to most of the real world.

Regarding the security scan, I wouldn't be surprised if they found a reference to Ant (the build tool) and confuse it for Ant (the plugin). Most of what we get reported from security scan tools is complete garbage.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/6C4A6238-491C-4F1F-9B47-28D051532931%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins Vulnerability Scan

Eric Fetzer
In reply to this post by Mark Waite-2
Thanks Mark!  That's good info.  I'll break it down and see where we stand.

On Tue, Apr 17, 2018 at 2:36 PM, Mark Waite <[hidden email]> wrote:
Your mail doesn't tell us what security vulnerability is believed to exist.

Can you explain further what the report means and what you believe should be done?

Mark Waite

On Tue, Apr 17, 2018, 9:02 AM Eric Fetzer <[hidden email]> wrote:
No one has any ideas about this at all?



On Friday, April 13, 2018 at 12:21:36 PM UTC-6, Eric Fetzer wrote:
We're getting gigged on a security scan that looking at Jenkins documentation, should not be happening.  The scan is turning up:


Vulnerability

Host

IP

Port

201701

201702

201703

201704

201705

201706

201707

Jenkins JDK / Ant Tools Job Configuration Stored XSS Vulnerability (SECURITY-624)

<redacted>

<redacted>

TCP:8080

NO

NO

NO

NO

NO

NO

NO



In the documentation, I see 2 places where this could be turning up.  Ant plugin prior to 1.8, and Jenkins version prior to 2.93.  Our Jenkins version is 2.107.1 and we just upgraded our Ant plugin to 1.8.  Anyone have an idea what's getting us here?

Thanks,
Eric

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/58bf582a-a106-4f95-966a-07642c16e11c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/fKY3_xmAPkk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtH_8yxLHf2umcysCn1Wn7N248jMSyDXa-ybz%3D0fA6fBaw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAByBicb%3Dk6t1m-dVLdgMxscab7wv2tNoY_BRx4T_nqUCoQMeFQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins Vulnerability Scan

Eric Fetzer
In reply to this post by Daniel Beck
Thanks Daniel!  We do have the Ant plugin installed, but our version is updated beyond the affected patch level.

On Thu, Apr 19, 2018 at 6:57 AM, Daniel Beck <[hidden email]> wrote:

> On 18. Apr 2018, at 16:33, Mark Waite <[hidden email]> wrote:
>
> Likewise, I would assume that the other plugins mentioned in the 2018-01-22 advisory need to be upgraded to at least those versions.

Just a quirk of our advisory format. Unless another plugin is specifically mentioned as affected by this, it is not believed to be.

Regarding whether the core update is sufficient, I'm not sure off hand. It could be.

That said, unless you have a strictly locked down Jenkins instance, admins can already XSS other users, so this isn't an issue relevant to most of the real world.

Regarding the security scan, I wouldn't be surprised if they found a reference to Ant (the build tool) and confuse it for Ant (the plugin). Most of what we get reported from security scan tools is complete garbage.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/fKY3_xmAPkk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/6C4A6238-491C-4F1F-9B47-28D051532931%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAByBicYhOwvcm_2PwZ6gUypmooWhh%3DbaK%3Dnc_HDp351sYG1AqQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.