Security Vulnerability on my Jenkins Server

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Security Vulnerability on my Jenkins Server

Eric Fetzer
Hi all!  I'm getting hit by my secuity team for a vulnerability for the Jenkins CLI via ssh allowing the following weak ciphers:

  hmac-md5
  hmac-md5-96
  hmac-sha1-96

Is there a way to configure ciphers accepted for the Jenkins CLI?

Thanks,
Eric

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/392ef479-9516-4f17-9373-8054ef703bb5n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability on my Jenkins Server

Ivan Fernandez Calvo
Yes, configuring the ciphers accepted by your JDK edit the file lib\security\java.security (the path will vary based on your Java version)

El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, [hidden email] escribió:
Hi all!  I'm getting hit by my secuity team for a vulnerability for the Jenkins CLI via ssh allowing the following weak ciphers:

  hmac-md5
  hmac-md5-96
  hmac-sha1-96

Is there a way to configure ciphers accepted for the Jenkins CLI?

Thanks,
Eric

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/f28c34c0-ad6a-4305-89c5-9fd93f9ffb90n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability on my Jenkins Server

Eric Fetzer
I'm confused.  It doesn't look like the ciphers the vulnerability is citing are allowed in the java.security file on this system.  We're getting flagged for:

 hmac-md5
  hmac-md5-96
  hmac-sha1-96

Settings are:

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL

Am I missing this, not a java security expert by any means...  Thanks!
On Monday, August 24, 2020 at 11:09:43 AM UTC-6 [hidden email] wrote:
Yes, configuring the ciphers accepted by your JDK edit the file lib\security\java.security (the path will vary based on your Java version)

El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, [hidden email] escribió:
Hi all!  I'm getting hit by my secuity team for a vulnerability for the Jenkins CLI via ssh allowing the following weak ciphers:

  hmac-md5
  hmac-md5-96
  hmac-sha1-96

Is there a way to configure ciphers accepted for the Jenkins CLI?

Thanks,
Eric

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/cd72f7b2-5aa3-4e6e-96da-579cb50b43e3n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability on my Jenkins Server

Eric Fetzer
I think I found the solution to this:

On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 [hidden email] wrote:
I'm confused.  It doesn't look like the ciphers the vulnerability is citing are allowed in the java.security file on this system.  We're getting flagged for:

 hmac-md5
  hmac-md5-96
  hmac-sha1-96

Settings are:

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL

Am I missing this, not a java security expert by any means...  Thanks!
On Monday, August 24, 2020 at 11:09:43 AM UTC-6 [hidden email] wrote:
Yes, configuring the ciphers accepted by your JDK edit the file lib\security\java.security (the path will vary based on your Java version)

El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, [hidden email] escribió:
Hi all!  I'm getting hit by my secuity team for a vulnerability for the Jenkins CLI via ssh allowing the following weak ciphers:

  hmac-md5
  hmac-md5-96
  hmac-sha1-96

Is there a way to configure ciphers accepted for the Jenkins CLI?

Thanks,
Eric

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/b18ae081-0456-40bf-808c-d82cb2f935c1n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability on my Jenkins Server

Ivan Fernandez Calvo
I was wrong you cannot configure the ciphers for the ssh server on the Java security files. The SSH server on Jenkins uses the https://github.com/apache/mina-sshd , IIRC the Jenkins implementation of the ssh server not read the sshd_config files so it is not posible to configure the ssh server. Apache mina has deprecated and disable those algorithms on 2.6.0 https://issues.apache.org/jira/browse/SSHD-1004, the sshd-module and CLI are using 1.7.0 https://github.com/jenkinsci/sshd-module/blob/master/pom.xml#L42 and https://github.com/jenkinsci/jenkins/blob/master/cli/pom.xml#L77 So I guess both should bump the dependency to remove support for weak algorithms 


El miércoles, 26 de agosto de 2020 a las 16:06:22 UTC+2, [hidden email] escribió:
I think I found the solution to this:

On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 [hidden email] wrote:
I'm confused.  It doesn't look like the ciphers the vulnerability is citing are allowed in the java.security file on this system.  We're getting flagged for:

 hmac-md5
  hmac-md5-96
  hmac-sha1-96

Settings are:

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL

Am I missing this, not a java security expert by any means...  Thanks!
On Monday, August 24, 2020 at 11:09:43 AM UTC-6 [hidden email] wrote:
Yes, configuring the ciphers accepted by your JDK edit the file lib\security\java.security (the path will vary based on your Java version)

El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, [hidden email] escribió:
Hi all!  I'm getting hit by my secuity team for a vulnerability for the Jenkins CLI via ssh allowing the following weak ciphers:

  hmac-md5
  hmac-md5-96
  hmac-sha1-96

Is there a way to configure ciphers accepted for the Jenkins CLI?

Thanks,
Eric

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/5806c3c3-b686-47e6-8e8b-a29a0d9d9fbdn%40googlegroups.com.