James Steidl - Fotolia
Despite your best attempts, security vulnerabilities will undoubtedly pop up in your Jenkins automation server. Hackers will target these weak areas to gain access and do damage to your system. If you're concerned about these Jenkins vulnerabilities, one of the first places you should visit is the Jenkins Security Advisory page.
This page details the current and past Jenkins vulnerabilities, shows which Jenkins core programs or plugins were affected, and how or if they've been fixed. Users will also find if some vulnerable plugins have dependencies -- required, optional or implied -- that may or may not be affected.
The Jenkins Security Advisory 2019-01-28 gives a list of 14 plugins that were found to be vulnerable:
- Active Directory
- Blue Ocean
- Config File Provider
- GitHub Authentication
- Job Import
- OpenId Connect Authentication
- Script Security
- Token Macro
- Warnings Next Generation
Plugin interactions and relationships can be a tangled web for developers to navigate. The DevOps team should maintain a list of Jenkins vulnerabilities and affected plugins to make it easier to identify problems as they come up. The team should also include updated versions of Jenkins to successfully implement the unaffected and fixed plugins and their dependencies.
In its Security Advisory notices, Jenkins indicates the affected versions of each plugin, describes the vulnerabilities and fixes, and also rates the severity of the vulnerabilities from low to high. Let's look at four vulnerable plugins: Git, GitHub Authentication, Token Macro and Active Directory.
The Git plugin is a tool used in version control systems, which is an important component of any Jenkins server. This plugin has 15 dependencies -- required, optional and implied.
An older Git plugin version included a cross-site request forgery vulnerability that could allow an attacker to capture credentials. An attacker can bypass the Overall/Read access to Jenkins to find lists of usernames and node names. Service-side request forgery occurs when a form validation in GitHub fails to check the permission of the user who wants to access the plugin.
This vulnerability's severity is low only if any previous dependencies were fixed. Low vulnerability means that a user should use the Git plugin with caution. However, it doesn't remove the risk of an attacker capturing usernames.
Token Macro plugin
The Git plugin is dependent on an optional Token Macro plugin that, in turn, has five dependencies. Token Macro's function is to add reusable macro expand capability for other plugins to use. This plugin currently doesn't recursively apply token expansion.
In older versions, there is a medium vulnerability severity. The plugin could allow an attacker to exploit recursively applied token expansion. An attacker could affect input to token expansion -- for example, by changing log messages -- and inject additional tokens into the input, which would then be expanded. Malicious expansion could lead to data exposure -- for example, environment variable values -- or a denial of service.
If not fixed, the affected Token Macro plugin may cause the Git plugin not to work properly.
GitHub Authentication plugin
This plugin provides a means to use GitHub for authentication and authorization to secure Jenkins. It is dependent on the required Git plugin, which is one of the six required dependencies. The older version is not safe to use and has two vulnerabilities.
The first of two Jenkins vulnerabilities is that, while the plugin stored encrypted data on the Jenkins configuration, it was transmitted in plain text. An attacker could exploit the exposed client secret through browser extensions and cross-site scripting vulnerabilities. The plugin now ensures the client secret is transmitted as encrypted and has a low vulnerability rating.
The second vulnerability failed to invalidate the previous session and didn't create a new one after a successful login. This vulnerability could allow an attacker to control or obtain another user's pre-login session ID and impersonate that user on the server. The plugin now invalidates the previous session during login and creates a new one, which results in a medium vulnerability rating.
Active Directory plugin
Jenkins runs on two platforms. If Jenkins runs on a Windows machine, the machine must be a domain member for proper authentication. Active Directory Service Interfaces is used to set up the configuration.
If Jenkins runs on a non-Windows machine, Jenkins must be provided with the Active Directory domain name(s) for authentication. Domain name system service records and the Lightweight Directory Access Protocol (LDAP) service of Active Directory are used to authenticate users.
In older versions, there is a high vulnerability rating. The plugin didn't verify Active Directory server certificates and opened the door for man-in-the-middle attacks to occur. The plugin performs a Transport Layer Security (TLS) upgrade -- called StartTLS -- after connecting to domain controllers through insecure LDAP. The secure LDAP mode is unaffected when you set the system property ActiveDirectorySecurityRealm.forceLdaps to true.
With the fix, the plugin properly validates certificates according to the TLS trust configuration when you perform a TLS upgrade.