Security Vulnerability on my Jenkins Server
47 views
Skip to first unread message
eric....@gmail.com
Aug 24, 2020, 10:48:22 AM8/24/20
to Jenkins Users
Hi all! I'm getting hit by my secuity team for a vulnerability for the Jenkins CLI via ssh allowing the following weak ciphers:
hmac-md5
hmac-md5-96
hmac-sha1-96
Is there a way to configure ciphers accepted for the Jenkins CLI?
Thanks,
Eric
Ivan Fernandez Calvo
Aug 24, 2020, 1:09:43 PM8/24/20
to Jenkins Users
Yes, configuring the ciphers accepted by your JDK edit the file lib\security\java.security (the path will vary based on your Java version)
eric....@gmail.com
Aug 25, 2020, 3:59:49 PM8/25/20
to Jenkins Users
I'm confused. It doesn't look like the ciphers the vulnerability is citing are allowed in the java.security file on this system. We're getting flagged for:
hmac-md5
hmac-md5-96
hmac-sha1-96
Settings are:
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL
Am I missing this, not a java security expert by any means... Thanks!
eric....@gmail.com
Aug 26, 2020, 10:06:22 AM8/26/20
to Jenkins Users
I think I found the solution to this:
Ivan Fernandez Calvo
Aug 26, 2020, 2:39:40 PM8/26/20
to Jenkins Users
I was wrong you cannot configure the ciphers for the ssh server on the Java security files. The SSH server on Jenkins uses the https://github.com/apache/mina-sshd , IIRC the Jenkins implementation of the ssh server not read the sshd_config files so it is not posible to configure the ssh server. Apache mina has deprecated and disable those algorithms on 2.6.0 https://issues.apache.org/jira/browse/SSHD-1004, the sshd-module and CLI are using 1.7.0 https://github.com/jenkinsci/sshd-module/blob/master/pom.xml#L42 and https://github.com/jenkinsci/jenkins/blob/master/cli/pom.xml#L77 So I guess both should bump the dependency to remove support for weak algorithms
eric....@gmail.com
Feb 9, 2021, 11:19:39 AM2/9/21
to Jenkins Users
I'm sorry, I just saw the last comment on here and, once again, this showed up on our vulnerability report. I don't get exactly what I need to do in order to fix this. Can someone lay it out for me please? Thanks - Eric
kuisathaverat
Feb 9, 2021, 2:23:25 PM2/9/21
to jenkins...@googlegroups.com
There is work in progress to bump the version of the library and convert the sshd-module in a plugin to resolve this kind of issues quickly. For the moment you can configure your sshd servers on the Agents side to do not allow weak ciphers, see https://www.ssh.com/ssh/sshd_config.
--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/07db750a-9c00-40ee-bc68-0a2b051c48fdn%40googlegroups.com.
Un Saludo
Iván Fernández Calvo
Eric Fetzer
Feb 10, 2021, 11:24:21 AM2/10/21
to jenkins...@googlegroups.com
Hmmm, I already hardened by that link: https://www.ssh.com/ssh/sshd_config
My /etc/ssh/sshd_config has:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
This is still showing up on my security scan though. Am I missing something?
Thanks,
Eric
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAKo5QrruVhwNoAi_XfMoFmHf_iwg-wPVBM%2BiwyRajRuyvmrbeQ%40mail.gmail.com.
kuisathaverat
Feb 10, 2021, 11:40:22 AM2/10/21
to jenkins...@googlegroups.com
hmac-* are Message authentication code algorithms (MACs), so you have to configure your Message authentication code algorithms (MACs) supported, for example
MACs hmac-sha2-256,hmac-sha2-512To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAByBicY8swNixDjYvy0_VkiRWZKs_wrw6QFm0jxOVFR1rEx%3DKw%40mail.gmail.com.
Eric Fetzer
Feb 10, 2021, 12:28:53 PM2/10/21
to jenkins...@googlegroups.com
My MACs line says:
MACs hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,hmac-ri...@openssh.com
MACs hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,hmac-ri...@openssh.com
I believe this is hardened, isn't it?
Thanks,
Eric
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAKo5Qrr8WB8JO%3DB-1ZWiOFDi0eGA%2BDftezyF21LG9hpAHLB_0Q%40mail.gmail.com.
kuisathaverat
Feb 10, 2021, 3:25:57 PM2/10/21
to jenkins...@googlegroups.com
I’ve re read your first message, you as for “Jenkins CLI over SSH”, there you cannot do anything until we replace the ssh-module. The module will support those MACs and is not posible to disable them. However, I doubt that the Jenkins CLI use those MACs , and you can always use HTTPS.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAByBicbBQcu0aT7-L74otHM8qqSU-EAYpoV71n7hJOujqFRWqQ%40mail.gmail.com.
Eric Fetzer
Feb 10, 2021, 3:43:06 PM2/10/21
to jenkins...@googlegroups.com
Thanks, guess we'll have to wait. It's not based on what we do, it's just a security scan software. It's not like anyone can get to it anyway, it's inside the wall, but it is what it is. This one will have to become a POAM. Do you have any clue when the fix is coming up? Again, THANKS for all your help!
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAKo5Qrp2mVnJZEDPFFot3A0RB4VVjomyaxPLoLj9sDfnXGcUKA%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages