Re: Multiple vulnerabilities in Jenkins

[Daniel Beck <ml () beckweb net>]

> On 14. Dec 2017, at 04:10, Daniel Beck <ml () beckweb net> wrote:
>
> SECURITY-667
> A race condition during Jenkins startup could result in the wrong order of
> execution of commands during initialization.
>
> On Jenkins 2.81 and newer, including LTS 2.89.1, this could in rare cases
> (we estimate less than 20% of new instances) result in failure to
> initialize the setup wizard on the first startup. This resulted in multiple
> security-related settings not being set to their usual strict default.
> Affected instances need to be configured to restrict access.

CVE-2017-1000503

> Additionally, there's a very short window of time after startup during
> which Jenkins may no longer show the "Please wait while Jenkins is getting
> ready to work" message, but Cross-Site Request Forgery (CSRF) protection
> may not yet be effective. As of publication of this advisory, we've been
> unable to confirm this can actually be exploited, but generally recommend
> that users upgrade their instances.

CVE-2017-1000504