SB2018051526 - Multiple vulnerabilities in Jenkins Jenkins

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Inadequate Encryption Strength (CVE-ID: CVE-2017-2598)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304).

2) Cross-site scripting (CVE-ID: CVE-2017-2607)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. The vulnerability allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

3) Information disclosure (CVE-ID: CVE-2017-2600)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343).

Remediation

Install update from vendor's website.

References

• http://www.securityfocus.com/bid/95948
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2598
• https://github.com/jenkinsci/jenkins/commit/e6aa166246d1734f4798a9e31f78842f4c85c28b
• https://jenkins.io/security/advisory/2017-02-01/
• http://www.securityfocus.com/bid/95963
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2607
• http://www.securityfocus.com/bid/95954
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2600
• https://github.com/jenkinsci/jenkins/commit/0f92cd08a19207de2cceb6a2f4e3e9f92fdc0899