oss-sec mailing list archives
Multiple vulnerabilities in Jenkins
From: Daniel Beck <ml () beckweb net>
Date: Thu, 14 Dec 2017 04:10:26 +0100
Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software. The following releases contain fixes for security vulnerabilities: * Jenkins (weekly) 2.95 * Jenkins (LTS) 2.89.2 Descriptions of the vulnerabilities are below. Some more details, severity, and attribution can be found here: https://jenkins.io/security/advisory/2017-12-14/ We provide advance notification for security updates on this mailing list: https://groups.google.com/d/forum/jenkinsci-advisories If you discover security vulnerabilities in Jenkins, please report them as described here: https://jenkins.io/security/#reporting-vulnerabilities --- SECURITY-667 A race condition during Jenkins startup could result in the wrong order of execution of commands during initialization. On Jenkins 2.81 and newer, including LTS 2.89.1, this could in rare cases (we estimate less than 20% of new instances) result in failure to initialize the setup wizard on the first startup. This resulted in multiple security-related settings not being set to their usual strict default. Affected instances need to be configured to restrict access. Additionally, there's a very short window of time after startup during which Jenkins may no longer show the "Please wait while Jenkins is getting ready to work" message, but Cross-Site Request Forgery (CSRF) protection may not yet be effective. As of publication of this advisory, we've been unable to confirm this can actually be exploited, but generally recommend that users upgrade their instances.
Current thread:
- Multiple vulnerabilities in Jenkins Daniel Beck (Oct 11)
- Re: Multiple vulnerabilities in Jenkins Daniel Beck (Nov 17)
- <Possible follow-ups>
- Multiple vulnerabilities in Jenkins Daniel Beck (Nov 08)
- Re: Multiple vulnerabilities in Jenkins Daniel Beck (Nov 17)
- Multiple vulnerabilities in Jenkins Daniel Beck (Dec 13)