Jenkins Vulnerability Scan
59 views
Skip to first unread message
Eric Fetzer
Apr 13, 2018, 2:21:36 PM4/13/18
to Jenkins Users
We're getting gigged on a security scan that looking at Jenkins documentation, should not be happening. The scan is turning up:
|
Vulnerability
|
Host |
IP |
Port |
201701 |
201702 |
201703 |
201704 |
201705 |
201706 |
201707 |
|
Jenkins JDK / Ant Tools Job Configuration Stored XSS Vulnerability (SECURITY-624) |
<redacted> |
<redacted> |
TCP:8080 |
NO |
NO |
NO |
NO |
NO |
NO |
NO |
In the documentation, I see 2 places where this could be turning up. Ant plugin prior to 1.8, and Jenkins version prior to 2.93. Our Jenkins version is 2.107.1 and we just upgraded our Ant plugin to 1.8. Anyone have an idea what's getting us here?
Thanks,
Eric
Eric Fetzer
Apr 17, 2018, 11:02:37 AM4/17/18
to Jenkins Users
No one has any ideas about this at all?
Mark Waite
Apr 17, 2018, 4:37:12 PM4/17/18
to jenkins...@googlegroups.com
Your mail doesn't tell us what security vulnerability is believed to exist.
Can you explain further what the report means and what you believe should be done?
Mark Waite
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/58bf582a-a106-4f95-966a-07642c16e11c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Eric Fetzer
Apr 18, 2018, 9:26:18 AM4/18/18
to jenkins...@googlegroups.com
Sorry Mark, not sure if you see "SECURITY-624" in the Table I posted. Here's the Jenkins Security Advisory:
But then the Jenkins change log shows that with version 2.107, this was addressed (more than just a work around): https://jenkins.io/changelog/. We are at 2.107.1, but the scan is still tagging us on this issue.
Thanks,
Eric
Mark Waite
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/58bf582a-a106-4f95-966a-07642c16e11c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/fKY3_xmAPkk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtH_8yxLHf2umcysCn1Wn7N248jMSyDXa-ybz%3D0fA6fBaw%40mail.gmail.com.
Mark Waite
Apr 18, 2018, 10:33:35 AM4/18/18
to jenkins...@googlegroups.com
On Wed, Apr 18, 2018 at 7:26 AM Eric Fetzer <eric....@gmail.com> wrote:
Sorry Mark, not sure if you see "SECURITY-624" in the Table I posted. Here's the Jenkins Security Advisory:But then the Jenkins change log shows that with version 2.107, this was addressed (more than just a work around): https://jenkins.io/changelog/. We are at 2.107.1, but the scan is still tagging us on this issue.
As far as I can tell, SECURITY-624 reported an XSS vulnerability in the Ant plugin (and incorrectly reported an XSS vulnerability in Jenkins core).
The 2017-12-05 advisory reported that it was unresolved and provided a workaround.
The 2018-01-22 advisory notes that the problem was specific to Ant plugin versions 1.7 and prior and is fixed in Ant plugin 1.8. That advisory lists other plugins and their versions, though does not mention if any of those plugins are affected by the XSS vulnerability.
The 2.89.4 LTS changelog reports that changes were made in core to reduce the risk of problems like SECURITY-624.
The 2.107 (weekly) changelog reports the same changes that were made in 2.89.4 LTS to reduce the risk of SECURITY-624 problems.
I assume that it is not enough to upgrade Jenkins core to those versions. The Ant plugin needs to be upgraded to at least 1.8. Likewise, I would assume that the other plugins mentioned in the 2018-01-22 advisory need to be upgraded to at least those versions.
Are you running new enough versions of the plugins listed in those advisories?
Mark Waite
Thanks,Eric
Mark Waite
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/58bf582a-a106-4f95-966a-07642c16e11c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/fKY3_xmAPkk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtH_8yxLHf2umcysCn1Wn7N248jMSyDXa-ybz%3D0fA6fBaw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAByBicY5ssbsUW9QVUiKsRuqRKvc0LT8UapxRghJDo-5TOx%2B-Q%40mail.gmail.com.
Daniel Beck
Apr 19, 2018, 8:57:36 AM4/19/18
to jenkins...@googlegroups.com
> On 18. Apr 2018, at 16:33, Mark Waite <mark.ea...@gmail.com> wrote:
>
> Likewise, I would assume that the other plugins mentioned in the 2018-01-22 advisory need to be upgraded to at least those versions.
Regarding whether the core update is sufficient, I'm not sure off hand. It could be.
That said, unless you have a strictly locked down Jenkins instance, admins can already XSS other users, so this isn't an issue relevant to most of the real world.
Regarding the security scan, I wouldn't be surprised if they found a reference to Ant (the build tool) and confuse it for Ant (the plugin). Most of what we get reported from security scan tools is complete garbage.
Eric Fetzer
Apr 19, 2018, 9:09:28 AM4/19/18
to jenkins...@googlegroups.com
Thanks Mark! That's good info. I'll break it down and see where we stand.
On Tue, Apr 17, 2018 at 2:36 PM, Mark Waite <mark.ea...@gmail.com> wrote:
Mark Waite
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/58bf582a-a106-4f95-966a-07642c16e11c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/fKY3_xmAPkk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtH_8yxLHf2umcysCn1Wn7N248jMSyDXa-ybz%3D0fA6fBaw%40mail.gmail.com.
Eric Fetzer
Apr 19, 2018, 9:11:26 AM4/19/18
to jenkins...@googlegroups.com
Thanks Daniel! We do have the Ant plugin installed, but our version is updated beyond the affected patch level.
--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/fKY3_xmAPkk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/6C4A6238-491C-4F1F-9B47-28D051532931%40beckweb.net.
Reply all
Reply to author
Forward
0 new messages