Jenkins Security Advisory 2019-01-16

This advisory announces vulnerabilities in the following Jenkins deliverables:

  • Jenkins (core)

Descriptions

Administrators could persist access to Jenkins using crafted 'Remember me' cookie

SECURITY-868 / CVE-2019-1003003

Users with the Overall/RunScripts permission (typically administrators) were able to use the Jenkins script console to craft a 'Remember me' cookie that would never expire.

This allowed attackers access to a Jenkins instance while the corresponding user in the configured security realm exists, for example to persist access after another successful attack.

Jenkins now encodes a per-user seed value in 'Remember me' cookies that is invalidated when the user password in the Jenkins user database is changed, the user record in Jenkins is deleted, or when all sessions for a given user are terminated through a new feature on the user’s configuration page.

Deleting a user in an external security realm did not invalidate their session or 'Remember me' cookie

SECURITY-901 / CVE-2019-1003004

When using an external security realm such as LDAP or Active Directory, deleting a user from the security realm does not result in the user losing access to Jenkins.

While deleting the user record from Jenkins did invalidate the 'Remember me' cookie, there was no way to invalidate active sessions besides restarting Jenkins or terminating sessions through other means, such as Monitoring Plugin.

Jenkins now encodes a per-user seed value in sessions, 'Remember me' cookies, and cached authentications of the remoting-based CLI, that can manually be reset by a user themselves, or an administrator, on the user’s configuration page. Doing so will invalidate all current sessions, 'Remember me' cookies, and cached CLI authentications, requiring credentials to be entered again to authenticate. Deleting a user record in Jenkins will now also invalidate existing sessions, as the current seed value is deleted as well.

Severity

Affected Versions

  • Jenkins weekly up to and including 2.159
  • Jenkins LTS up to and including 2.150.1

Fix

  • Jenkins weekly should be updated to version 2.160
  • Jenkins LTS should be updated to version 2.150.2

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Apple Information Security for SECURITY-868
  • Nimrod Stoler of CyberArk Labs for SECURITY-901