Security Vulnerability on my Jenkins Server

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Security Vulnerability on my Jenkins Server

Eric Fetzer
Hi all!  I'm getting hit by my secuity team for a vulnerability for the Jenkins CLI via ssh allowing the following weak ciphers:

  hmac-md5
  hmac-md5-96
  hmac-sha1-96

Is there a way to configure ciphers accepted for the Jenkins CLI?

Thanks,
Eric

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/392ef479-9516-4f17-9373-8054ef703bb5n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability on my Jenkins Server

Ivan Fernandez Calvo
Yes, configuring the ciphers accepted by your JDK edit the file lib\security\java.security (the path will vary based on your Java version)

El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, [hidden email] escribió:
Hi all!  I'm getting hit by my secuity team for a vulnerability for the Jenkins CLI via ssh allowing the following weak ciphers:

  hmac-md5
  hmac-md5-96
  hmac-sha1-96

Is there a way to configure ciphers accepted for the Jenkins CLI?

Thanks,
Eric

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/f28c34c0-ad6a-4305-89c5-9fd93f9ffb90n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability on my Jenkins Server

Eric Fetzer
I'm confused.  It doesn't look like the ciphers the vulnerability is citing are allowed in the java.security file on this system.  We're getting flagged for:

 hmac-md5
  hmac-md5-96
  hmac-sha1-96

Settings are:

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL

Am I missing this, not a java security expert by any means...  Thanks!
On Monday, August 24, 2020 at 11:09:43 AM UTC-6 [hidden email] wrote:
Yes, configuring the ciphers accepted by your JDK edit the file lib\security\java.security (the path will vary based on your Java version)

El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, [hidden email] escribió:
Hi all!  I'm getting hit by my secuity team for a vulnerability for the Jenkins CLI via ssh allowing the following weak ciphers:

  hmac-md5
  hmac-md5-96
  hmac-sha1-96

Is there a way to configure ciphers accepted for the Jenkins CLI?

Thanks,
Eric

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/cd72f7b2-5aa3-4e6e-96da-579cb50b43e3n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability on my Jenkins Server

Eric Fetzer
I think I found the solution to this:

On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 [hidden email] wrote:
I'm confused.  It doesn't look like the ciphers the vulnerability is citing are allowed in the java.security file on this system.  We're getting flagged for:

 hmac-md5
  hmac-md5-96
  hmac-sha1-96

Settings are:

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL

Am I missing this, not a java security expert by any means...  Thanks!
On Monday, August 24, 2020 at 11:09:43 AM UTC-6 [hidden email] wrote:
Yes, configuring the ciphers accepted by your JDK edit the file lib\security\java.security (the path will vary based on your Java version)

El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, [hidden email] escribió:
Hi all!  I'm getting hit by my secuity team for a vulnerability for the Jenkins CLI via ssh allowing the following weak ciphers:

  hmac-md5
  hmac-md5-96
  hmac-sha1-96

Is there a way to configure ciphers accepted for the Jenkins CLI?

Thanks,
Eric

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/b18ae081-0456-40bf-808c-d82cb2f935c1n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability on my Jenkins Server

Ivan Fernandez Calvo
I was wrong you cannot configure the ciphers for the ssh server on the Java security files. The SSH server on Jenkins uses the https://github.com/apache/mina-sshd , IIRC the Jenkins implementation of the ssh server not read the sshd_config files so it is not posible to configure the ssh server. Apache mina has deprecated and disable those algorithms on 2.6.0 https://issues.apache.org/jira/browse/SSHD-1004, the sshd-module and CLI are using 1.7.0 https://github.com/jenkinsci/sshd-module/blob/master/pom.xml#L42 and https://github.com/jenkinsci/jenkins/blob/master/cli/pom.xml#L77 So I guess both should bump the dependency to remove support for weak algorithms 


El miércoles, 26 de agosto de 2020 a las 16:06:22 UTC+2, [hidden email] escribió:
I think I found the solution to this:

On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 [hidden email] wrote:
I'm confused.  It doesn't look like the ciphers the vulnerability is citing are allowed in the java.security file on this system.  We're getting flagged for:

 hmac-md5
  hmac-md5-96
  hmac-sha1-96

Settings are:

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL

Am I missing this, not a java security expert by any means...  Thanks!
On Monday, August 24, 2020 at 11:09:43 AM UTC-6 [hidden email] wrote:
Yes, configuring the ciphers accepted by your JDK edit the file lib\security\java.security (the path will vary based on your Java version)

El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, [hidden email] escribió:
Hi all!  I'm getting hit by my secuity team for a vulnerability for the Jenkins CLI via ssh allowing the following weak ciphers:

  hmac-md5
  hmac-md5-96
  hmac-sha1-96

Is there a way to configure ciphers accepted for the Jenkins CLI?

Thanks,
Eric

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/5806c3c3-b686-47e6-8e8b-a29a0d9d9fbdn%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability on my Jenkins Server

Eric Fetzer
I'm sorry, I just saw the last comment on here and, once again, this showed up on our vulnerability report.  I don't get exactly what I need to do in order to fix this.  Can someone lay it out for me please?  Thanks - Eric

On Wednesday, August 26, 2020 at 12:39:40 PM UTC-6 [hidden email] wrote:
I was wrong you cannot configure the ciphers for the ssh server on the Java security files. The SSH server on Jenkins uses the https://github.com/apache/mina-sshd , IIRC the Jenkins implementation of the ssh server not read the sshd_config files so it is not posible to configure the ssh server. Apache mina has deprecated and disable those algorithms on 2.6.0 https://issues.apache.org/jira/browse/SSHD-1004, the sshd-module and CLI are using 1.7.0 https://github.com/jenkinsci/sshd-module/blob/master/pom.xml#L42 and https://github.com/jenkinsci/jenkins/blob/master/cli/pom.xml#L77 So I guess both should bump the dependency to remove support for weak algorithms 


El miércoles, 26 de agosto de 2020 a las 16:06:22 UTC+2, [hidden email] escribió:
I think I found the solution to this:

On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 [hidden email] wrote:
I'm confused.  It doesn't look like the ciphers the vulnerability is citing are allowed in the java.security file on this system.  We're getting flagged for:

 hmac-md5
  hmac-md5-96
  hmac-sha1-96

Settings are:

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL

Am I missing this, not a java security expert by any means...  Thanks!
On Monday, August 24, 2020 at 11:09:43 AM UTC-6 [hidden email] wrote:
Yes, configuring the ciphers accepted by your JDK edit the file lib\security\java.security (the path will vary based on your Java version)

El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, [hidden email] escribió:
Hi all!  I'm getting hit by my secuity team for a vulnerability for the Jenkins CLI via ssh allowing the following weak ciphers:

  hmac-md5
  hmac-md5-96
  hmac-sha1-96

Is there a way to configure ciphers accepted for the Jenkins CLI?

Thanks,
Eric

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/07db750a-9c00-40ee-bc68-0a2b051c48fdn%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability on my Jenkins Server

Ivan Fernandez Calvo
There is work in progress to bump the version of the library and convert the sshd-module in a plugin to resolve this kind of issues quickly. For the moment you can configure your sshd servers on the Agents side to do not allow weak ciphers, see https://www.ssh.com/ssh/sshd_config.



El mar, 9 feb 2021 a las 17:19, [hidden email] (<[hidden email]>) escribió:
I'm sorry, I just saw the last comment on here and, once again, this showed up on our vulnerability report.  I don't get exactly what I need to do in order to fix this.  Can someone lay it out for me please?  Thanks - Eric

On Wednesday, August 26, 2020 at 12:39:40 PM UTC-6 [hidden email] wrote:
I was wrong you cannot configure the ciphers for the ssh server on the Java security files. The SSH server on Jenkins uses the https://github.com/apache/mina-sshd , IIRC the Jenkins implementation of the ssh server not read the sshd_config files so it is not posible to configure the ssh server. Apache mina has deprecated and disable those algorithms on 2.6.0 https://issues.apache.org/jira/browse/SSHD-1004, the sshd-module and CLI are using 1.7.0 https://github.com/jenkinsci/sshd-module/blob/master/pom.xml#L42 and https://github.com/jenkinsci/jenkins/blob/master/cli/pom.xml#L77 So I guess both should bump the dependency to remove support for weak algorithms 


El miércoles, 26 de agosto de 2020 a las 16:06:22 UTC+2, [hidden email] escribió:
I think I found the solution to this:

On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 [hidden email] wrote:
I'm confused.  It doesn't look like the ciphers the vulnerability is citing are allowed in the java.security file on this system.  We're getting flagged for:

 hmac-md5
  hmac-md5-96
  hmac-sha1-96

Settings are:

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL

Am I missing this, not a java security expert by any means...  Thanks!
On Monday, August 24, 2020 at 11:09:43 AM UTC-6 [hidden email] wrote:
Yes, configuring the ciphers accepted by your JDK edit the file lib\security\java.security (the path will vary based on your Java version)

El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, [hidden email] escribió:
Hi all!  I'm getting hit by my secuity team for a vulnerability for the Jenkins CLI via ssh allowing the following weak ciphers:

  hmac-md5
  hmac-md5-96
  hmac-sha1-96

Is there a way to configure ciphers accepted for the Jenkins CLI?

Thanks,
Eric

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/07db750a-9c00-40ee-bc68-0a2b051c48fdn%40googlegroups.com.


--

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAKo5QrruVhwNoAi_XfMoFmHf_iwg-wPVBM%2BiwyRajRuyvmrbeQ%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability on my Jenkins Server

Eric Fetzer
Hmmm, I already hardened by that link:  https://www.ssh.com/ssh/sshd_config

My /etc/ssh/sshd_config has:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

This is still showing up on my security scan though.  Am I missing something?

Thanks,
Eric

On Tue, Feb 9, 2021 at 12:23 PM kuisathaverat <[hidden email]> wrote:
There is work in progress to bump the version of the library and convert the sshd-module in a plugin to resolve this kind of issues quickly. For the moment you can configure your sshd servers on the Agents side to do not allow weak ciphers, see https://www.ssh.com/ssh/sshd_config.



El mar, 9 feb 2021 a las 17:19, [hidden email] (<[hidden email]>) escribió:
I'm sorry, I just saw the last comment on here and, once again, this showed up on our vulnerability report.  I don't get exactly what I need to do in order to fix this.  Can someone lay it out for me please?  Thanks - Eric

On Wednesday, August 26, 2020 at 12:39:40 PM UTC-6 [hidden email] wrote:
I was wrong you cannot configure the ciphers for the ssh server on the Java security files. The SSH server on Jenkins uses the https://github.com/apache/mina-sshd , IIRC the Jenkins implementation of the ssh server not read the sshd_config files so it is not posible to configure the ssh server. Apache mina has deprecated and disable those algorithms on 2.6.0 https://issues.apache.org/jira/browse/SSHD-1004, the sshd-module and CLI are using 1.7.0 https://github.com/jenkinsci/sshd-module/blob/master/pom.xml#L42 and https://github.com/jenkinsci/jenkins/blob/master/cli/pom.xml#L77 So I guess both should bump the dependency to remove support for weak algorithms 


El miércoles, 26 de agosto de 2020 a las 16:06:22 UTC+2, [hidden email] escribió:
I think I found the solution to this:

On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 [hidden email] wrote:
I'm confused.  It doesn't look like the ciphers the vulnerability is citing are allowed in the java.security file on this system.  We're getting flagged for:

 hmac-md5
  hmac-md5-96
  hmac-sha1-96

Settings are:

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL

Am I missing this, not a java security expert by any means...  Thanks!
On Monday, August 24, 2020 at 11:09:43 AM UTC-6 [hidden email] wrote:
Yes, configuring the ciphers accepted by your JDK edit the file lib\security\java.security (the path will vary based on your Java version)

El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, [hidden email] escribió:
Hi all!  I'm getting hit by my secuity team for a vulnerability for the Jenkins CLI via ssh allowing the following weak ciphers:

  hmac-md5
  hmac-md5-96
  hmac-sha1-96

Is there a way to configure ciphers accepted for the Jenkins CLI?

Thanks,
Eric

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/07db750a-9c00-40ee-bc68-0a2b051c48fdn%40googlegroups.com.


--

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAKo5QrruVhwNoAi_XfMoFmHf_iwg-wPVBM%2BiwyRajRuyvmrbeQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAByBicY8swNixDjYvy0_VkiRWZKs_wrw6QFm0jxOVFR1rEx%3DKw%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability on my Jenkins Server

Ivan Fernandez Calvo
hmac-* are Message authentication code algorithms (MACs), so you have to configure your Message authentication code algorithms (MACs) supported, for example
MACs hmac-sha2-256,hmac-sha2-512

El mié, 10 feb 2021 a las 17:24, Eric Fetzer (<[hidden email]>) escribió:
Hmmm, I already hardened by that link:  https://www.ssh.com/ssh/sshd_config

My /etc/ssh/sshd_config has:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

This is still showing up on my security scan though.  Am I missing something?

Thanks,
Eric

On Tue, Feb 9, 2021 at 12:23 PM kuisathaverat <[hidden email]> wrote:
There is work in progress to bump the version of the library and convert the sshd-module in a plugin to resolve this kind of issues quickly. For the moment you can configure your sshd servers on the Agents side to do not allow weak ciphers, see https://www.ssh.com/ssh/sshd_config.



El mar, 9 feb 2021 a las 17:19, [hidden email] (<[hidden email]>) escribió:
I'm sorry, I just saw the last comment on here and, once again, this showed up on our vulnerability report.  I don't get exactly what I need to do in order to fix this.  Can someone lay it out for me please?  Thanks - Eric

On Wednesday, August 26, 2020 at 12:39:40 PM UTC-6 [hidden email] wrote:
I was wrong you cannot configure the ciphers for the ssh server on the Java security files. The SSH server on Jenkins uses the https://github.com/apache/mina-sshd , IIRC the Jenkins implementation of the ssh server not read the sshd_config files so it is not posible to configure the ssh server. Apache mina has deprecated and disable those algorithms on 2.6.0 https://issues.apache.org/jira/browse/SSHD-1004, the sshd-module and CLI are using 1.7.0 https://github.com/jenkinsci/sshd-module/blob/master/pom.xml#L42 and https://github.com/jenkinsci/jenkins/blob/master/cli/pom.xml#L77 So I guess both should bump the dependency to remove support for weak algorithms 


El miércoles, 26 de agosto de 2020 a las 16:06:22 UTC+2, [hidden email] escribió:
I think I found the solution to this:

On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 [hidden email] wrote:
I'm confused.  It doesn't look like the ciphers the vulnerability is citing are allowed in the java.security file on this system.  We're getting flagged for:

 hmac-md5
  hmac-md5-96
  hmac-sha1-96

Settings are:

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL

Am I missing this, not a java security expert by any means...  Thanks!
On Monday, August 24, 2020 at 11:09:43 AM UTC-6 [hidden email] wrote:
Yes, configuring the ciphers accepted by your JDK edit the file lib\security\java.security (the path will vary based on your Java version)

El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, [hidden email] escribió:
Hi all!  I'm getting hit by my secuity team for a vulnerability for the Jenkins CLI via ssh allowing the following weak ciphers:

  hmac-md5
  hmac-md5-96
  hmac-sha1-96

Is there a way to configure ciphers accepted for the Jenkins CLI?

Thanks,
Eric

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/07db750a-9c00-40ee-bc68-0a2b051c48fdn%40googlegroups.com.


--

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAKo5QrruVhwNoAi_XfMoFmHf_iwg-wPVBM%2BiwyRajRuyvmrbeQ%40mail.gmail.com.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAByBicY8swNixDjYvy0_VkiRWZKs_wrw6QFm0jxOVFR1rEx%3DKw%40mail.gmail.com.


--

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAKo5Qrr8WB8JO%3DB-1ZWiOFDi0eGA%2BDftezyF21LG9hpAHLB_0Q%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability on my Jenkins Server

Eric Fetzer
My MACs line says:

MACs hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,[hidden email]

I believe this is hardened, isn't it?

Thanks,
Eric

On Wed, Feb 10, 2021 at 9:40 AM kuisathaverat <[hidden email]> wrote:
hmac-* are Message authentication code algorithms (MACs), so you have to configure your Message authentication code algorithms (MACs) supported, for example
MACs hmac-sha2-256,hmac-sha2-512

El mié, 10 feb 2021 a las 17:24, Eric Fetzer (<[hidden email]>) escribió:
Hmmm, I already hardened by that link:  https://www.ssh.com/ssh/sshd_config

My /etc/ssh/sshd_config has:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

This is still showing up on my security scan though.  Am I missing something?

Thanks,
Eric

On Tue, Feb 9, 2021 at 12:23 PM kuisathaverat <[hidden email]> wrote:
There is work in progress to bump the version of the library and convert the sshd-module in a plugin to resolve this kind of issues quickly. For the moment you can configure your sshd servers on the Agents side to do not allow weak ciphers, see https://www.ssh.com/ssh/sshd_config.



El mar, 9 feb 2021 a las 17:19, [hidden email] (<[hidden email]>) escribió:
I'm sorry, I just saw the last comment on here and, once again, this showed up on our vulnerability report.  I don't get exactly what I need to do in order to fix this.  Can someone lay it out for me please?  Thanks - Eric

On Wednesday, August 26, 2020 at 12:39:40 PM UTC-6 [hidden email] wrote:
I was wrong you cannot configure the ciphers for the ssh server on the Java security files. The SSH server on Jenkins uses the https://github.com/apache/mina-sshd , IIRC the Jenkins implementation of the ssh server not read the sshd_config files so it is not posible to configure the ssh server. Apache mina has deprecated and disable those algorithms on 2.6.0 https://issues.apache.org/jira/browse/SSHD-1004, the sshd-module and CLI are using 1.7.0 https://github.com/jenkinsci/sshd-module/blob/master/pom.xml#L42 and https://github.com/jenkinsci/jenkins/blob/master/cli/pom.xml#L77 So I guess both should bump the dependency to remove support for weak algorithms 


El miércoles, 26 de agosto de 2020 a las 16:06:22 UTC+2, [hidden email] escribió:
I think I found the solution to this:

On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 [hidden email] wrote:
I'm confused.  It doesn't look like the ciphers the vulnerability is citing are allowed in the java.security file on this system.  We're getting flagged for:

 hmac-md5
  hmac-md5-96
  hmac-sha1-96

Settings are:

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL

Am I missing this, not a java security expert by any means...  Thanks!
On Monday, August 24, 2020 at 11:09:43 AM UTC-6 [hidden email] wrote:
Yes, configuring the ciphers accepted by your JDK edit the file lib\security\java.security (the path will vary based on your Java version)

El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, [hidden email] escribió:
Hi all!  I'm getting hit by my secuity team for a vulnerability for the Jenkins CLI via ssh allowing the following weak ciphers:

  hmac-md5
  hmac-md5-96
  hmac-sha1-96

Is there a way to configure ciphers accepted for the Jenkins CLI?

Thanks,
Eric

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/07db750a-9c00-40ee-bc68-0a2b051c48fdn%40googlegroups.com.


--

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAKo5QrruVhwNoAi_XfMoFmHf_iwg-wPVBM%2BiwyRajRuyvmrbeQ%40mail.gmail.com.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAByBicY8swNixDjYvy0_VkiRWZKs_wrw6QFm0jxOVFR1rEx%3DKw%40mail.gmail.com.


--

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAKo5Qrr8WB8JO%3DB-1ZWiOFDi0eGA%2BDftezyF21LG9hpAHLB_0Q%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAByBicbBQcu0aT7-L74otHM8qqSU-EAYpoV71n7hJOujqFRWqQ%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability on my Jenkins Server

Ivan Fernandez Calvo
I’ve re read your first message, you as for “Jenkins CLI over SSH”, there you cannot do anything until we replace the ssh-module. The module will support those MACs and is not posible to disable them. However, I doubt that the Jenkins CLI use those MACs , and you can always use HTTPS.

El El mié, 10 feb 2021 a las 18:28, Eric Fetzer <[hidden email]> escribió:
My MACs line says:

MACs hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,[hidden email]

I believe this is hardened, isn't it?

Thanks,
Eric

On Wed, Feb 10, 2021 at 9:40 AM kuisathaverat <[hidden email]> wrote:
hmac-* are Message authentication code algorithms (MACs), so you have to configure your Message authentication code algorithms (MACs) supported, for example
MACs hmac-sha2-256,hmac-sha2-512

El mié, 10 feb 2021 a las 17:24, Eric Fetzer (<[hidden email]>) escribió:
Hmmm, I already hardened by that link:  https://www.ssh.com/ssh/sshd_config

My /etc/ssh/sshd_config has:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

This is still showing up on my security scan though.  Am I missing something?

Thanks,
Eric

On Tue, Feb 9, 2021 at 12:23 PM kuisathaverat <[hidden email]> wrote:
There is work in progress to bump the version of the library and convert the sshd-module in a plugin to resolve this kind of issues quickly. For the moment you can configure your sshd servers on the Agents side to do not allow weak ciphers, see https://www.ssh.com/ssh/sshd_config.



El mar, 9 feb 2021 a las 17:19, [hidden email] (<[hidden email]>) escribió:
I'm sorry, I just saw the last comment on here and, once again, this showed up on our vulnerability report.  I don't get exactly what I need to do in order to fix this.  Can someone lay it out for me please?  Thanks - Eric

On Wednesday, August 26, 2020 at 12:39:40 PM UTC-6 [hidden email] wrote:
I was wrong you cannot configure the ciphers for the ssh server on the Java security files. The SSH server on Jenkins uses the https://github.com/apache/mina-sshd , IIRC the Jenkins implementation of the ssh server not read the sshd_config files so it is not posible to configure the ssh server. Apache mina has deprecated and disable those algorithms on 2.6.0 https://issues.apache.org/jira/browse/SSHD-1004, the sshd-module and CLI are using 1.7.0 https://github.com/jenkinsci/sshd-module/blob/master/pom.xml#L42 and https://github.com/jenkinsci/jenkins/blob/master/cli/pom.xml#L77 So I guess both should bump the dependency to remove support for weak algorithms 


El miércoles, 26 de agosto de 2020 a las 16:06:22 UTC+2, [hidden email] escribió:
I think I found the solution to this:

On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 [hidden email] wrote:
I'm confused.  It doesn't look like the ciphers the vulnerability is citing are allowed in the java.security file on this system.  We're getting flagged for:

 hmac-md5
  hmac-md5-96
  hmac-sha1-96

Settings are:

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL

Am I missing this, not a java security expert by any means...  Thanks!
On Monday, August 24, 2020 at 11:09:43 AM UTC-6 [hidden email] wrote:
Yes, configuring the ciphers accepted by your JDK edit the file lib\security\java.security (the path will vary based on your Java version)

El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, [hidden email] escribió:
Hi all!  I'm getting hit by my secuity team for a vulnerability for the Jenkins CLI via ssh allowing the following weak ciphers:

  hmac-md5
  hmac-md5-96
  hmac-sha1-96

Is there a way to configure ciphers accepted for the Jenkins CLI?

Thanks,
Eric

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/07db750a-9c00-40ee-bc68-0a2b051c48fdn%40googlegroups.com.


--

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAKo5QrruVhwNoAi_XfMoFmHf_iwg-wPVBM%2BiwyRajRuyvmrbeQ%40mail.gmail.com.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAByBicY8swNixDjYvy0_VkiRWZKs_wrw6QFm0jxOVFR1rEx%3DKw%40mail.gmail.com.


--

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAByBicbBQcu0aT7-L74otHM8qqSU-EAYpoV71n7hJOujqFRWqQ%40mail.gmail.com.
--

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAKo5Qrp2mVnJZEDPFFot3A0RB4VVjomyaxPLoLj9sDfnXGcUKA%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability on my Jenkins Server

Eric Fetzer
Thanks, guess we'll have to wait.  It's not based on what we do, it's just a security scan software.  It's not like anyone can get to it anyway, it's inside the wall, but it is what it is.  This one will have to become a POAM.  Do you have any clue when the fix is coming up?  Again, THANKS for all your help!

On Wed, Feb 10, 2021 at 1:25 PM kuisathaverat <[hidden email]> wrote:
I’ve re read your first message, you as for “Jenkins CLI over SSH”, there you cannot do anything until we replace the ssh-module. The module will support those MACs and is not posible to disable them. However, I doubt that the Jenkins CLI use those MACs , and you can always use HTTPS.

El El mié, 10 feb 2021 a las 18:28, Eric Fetzer <[hidden email]> escribió:
My MACs line says:

MACs hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,[hidden email]

I believe this is hardened, isn't it?

Thanks,
Eric

On Wed, Feb 10, 2021 at 9:40 AM kuisathaverat <[hidden email]> wrote:
hmac-* are Message authentication code algorithms (MACs), so you have to configure your Message authentication code algorithms (MACs) supported, for example
MACs hmac-sha2-256,hmac-sha2-512

El mié, 10 feb 2021 a las 17:24, Eric Fetzer (<[hidden email]>) escribió:
Hmmm, I already hardened by that link:  https://www.ssh.com/ssh/sshd_config

My /etc/ssh/sshd_config has:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

This is still showing up on my security scan though.  Am I missing something?

Thanks,
Eric

On Tue, Feb 9, 2021 at 12:23 PM kuisathaverat <[hidden email]> wrote:
There is work in progress to bump the version of the library and convert the sshd-module in a plugin to resolve this kind of issues quickly. For the moment you can configure your sshd servers on the Agents side to do not allow weak ciphers, see https://www.ssh.com/ssh/sshd_config.



El mar, 9 feb 2021 a las 17:19, [hidden email] (<[hidden email]>) escribió:
I'm sorry, I just saw the last comment on here and, once again, this showed up on our vulnerability report.  I don't get exactly what I need to do in order to fix this.  Can someone lay it out for me please?  Thanks - Eric

On Wednesday, August 26, 2020 at 12:39:40 PM UTC-6 [hidden email] wrote:
I was wrong you cannot configure the ciphers for the ssh server on the Java security files. The SSH server on Jenkins uses the https://github.com/apache/mina-sshd , IIRC the Jenkins implementation of the ssh server not read the sshd_config files so it is not posible to configure the ssh server. Apache mina has deprecated and disable those algorithms on 2.6.0 https://issues.apache.org/jira/browse/SSHD-1004, the sshd-module and CLI are using 1.7.0 https://github.com/jenkinsci/sshd-module/blob/master/pom.xml#L42 and https://github.com/jenkinsci/jenkins/blob/master/cli/pom.xml#L77 So I guess both should bump the dependency to remove support for weak algorithms 


El miércoles, 26 de agosto de 2020 a las 16:06:22 UTC+2, [hidden email] escribió:
I think I found the solution to this:

On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 [hidden email] wrote:
I'm confused.  It doesn't look like the ciphers the vulnerability is citing are allowed in the java.security file on this system.  We're getting flagged for:

 hmac-md5
  hmac-md5-96
  hmac-sha1-96

Settings are:

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL

Am I missing this, not a java security expert by any means...  Thanks!
On Monday, August 24, 2020 at 11:09:43 AM UTC-6 [hidden email] wrote:
Yes, configuring the ciphers accepted by your JDK edit the file lib\security\java.security (the path will vary based on your Java version)

El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, [hidden email] escribió:
Hi all!  I'm getting hit by my secuity team for a vulnerability for the Jenkins CLI via ssh allowing the following weak ciphers:

  hmac-md5
  hmac-md5-96
  hmac-sha1-96

Is there a way to configure ciphers accepted for the Jenkins CLI?

Thanks,
Eric

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/07db750a-9c00-40ee-bc68-0a2b051c48fdn%40googlegroups.com.


--

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAKo5QrruVhwNoAi_XfMoFmHf_iwg-wPVBM%2BiwyRajRuyvmrbeQ%40mail.gmail.com.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAByBicY8swNixDjYvy0_VkiRWZKs_wrw6QFm0jxOVFR1rEx%3DKw%40mail.gmail.com.


--

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAByBicbBQcu0aT7-L74otHM8qqSU-EAYpoV71n7hJOujqFRWqQ%40mail.gmail.com.
--

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAKo5Qrp2mVnJZEDPFFot3A0RB4VVjomyaxPLoLj9sDfnXGcUKA%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAByBicb3-_6g7GsoFxWzkA09uVkCgLi-gX_TvWYt7JHU0z4S9g%40mail.gmail.com.