Advisories

Arch Linux Security Advisory ASA-202111-1
=========================================

Severity: Critical
Date    : 2021-11-05
CVE-ID  : CVE-2021-21685 CVE-2021-21686 CVE-2021-21687 CVE-2021-21688
          CVE-2021-21689 CVE-2021-21690 CVE-2021-21691 CVE-2021-21692
          CVE-2021-21693 CVE-2021-21694 CVE-2021-21695 CVE-2021-21696
          CVE-2021-21697
Package : jenkins
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2526

Summary
=======

The package jenkins before version 2.319-1 is vulnerable to multiple
issues including arbitrary filesystem access and sandbox escape.

Resolution
==========

Upgrade to 2.319-1.

# pacman -Syu "jenkins>=2.319-1"

The problems have been fixed upstream in version 2.319.

Workaround
==========

If you are unable to immediately upgrade to Jenkins 2.319 right away,
you can install the Remoting Security Workaround Plugin. It will
prevent all agent-to-controller file access using FilePath APIs.
Because it is more restrictive than Jenkins 2.319, more plugins are
incompatible with it. Make sure to read the plugin documentation before
installing it.

Description
===========

- CVE-2021-21685 (arbitrary filesystem access)

A security issue has been found in Jenkins before version 2.319.
FilePath#mkdirs does not check permission to create parent directories.
This allows agent processes to read and write arbitrary files on the
Jenkins controller file system, and obtain some information about
Jenkins controller file systems.

- CVE-2021-21686 (arbitrary filesystem access)

A security issue has been found in Jenkins before version 2.319. File
path filters do not canonicalize paths, allowing operations to follow
symbolic links to outside allowed directories. This allows agent
processes to read and write arbitrary files on the Jenkins controller
file system, and obtain some information about Jenkins controller file
systems.

- CVE-2021-21687 (arbitrary filesystem access)

A security issue has been found in Jenkins before version 2.319.
FilePath#untar does not check permission to create symbolic links when
unarchiving a symbolic link. This allows agent processes to read and
write arbitrary files on the Jenkins controller file system, and obtain
some information about Jenkins controller file systems.

- CVE-2021-21688 (arbitrary filesystem access)

A security issue has been found in Jenkins before version 2.319.
FilePath#reading(FileVisitor) does not reject any operations, allowing
users to have unrestricted read access using certain operations
(creating archives, #copyRecursiveTo). This allows agent processes to
read and write arbitrary files on the Jenkins controller file system,
and obtain some information about Jenkins controller file systems.

- CVE-2021-21689 (arbitrary filesystem access)

A security issue has been found in Jenkins before version 2.319.
FilePath#unzip and FilePath#untar were not subject to any access
control. This allows agent processes to read and write arbitrary files
on the Jenkins controller file system, and obtain some information
about Jenkins controller file systems.

- CVE-2021-21690 (arbitrary filesystem access)

A security issue has been found in Jenkins before version 2.319. Agent
processes are able to completely bypass file path filtering by wrapping
the file operation in an agent file path. This allows agent processes
to read and write arbitrary files on the Jenkins controller file
system, and obtain some information about Jenkins controller file
systems.

- CVE-2021-21691 (arbitrary filesystem access)

A security issue has been found in Jenkins before version 2.319.
Creating symbolic links is possible without the symlink permission.
This allows agent processes to read and write arbitrary files on the
Jenkins controller file system, and obtain some information about
Jenkins controller file systems.

- CVE-2021-21692 (arbitrary filesystem access)

A security issue has been found in Jenkins before version 2.319. The
operations FilePath#renameTo and FilePath#moveAllChildrenTo only check
read permission on the source path. This allows agent processes to read
and write arbitrary files on the Jenkins controller file system, and
obtain some information about Jenkins controller file systems.

- CVE-2021-21693 (arbitrary filesystem access)

A security issue has been found in Jenkins before version 2.319. When
creating temporary files, permission to create files is only checked
after they’ve been created. This allows agent processes to read and
write arbitrary files on the Jenkins controller file system, and obtain
some information about Jenkins controller file systems.

- CVE-2021-21694 (arbitrary filesystem access)

A security issue has been found in Jenkins before version 2.319.
FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize,
FilePath#isDescendant, and FilePath#get*DiskSpace do not check any
permissions. This allows agent processes to read and write arbitrary
files on the Jenkins controller file system, and obtain some
information about Jenkins controller file systems.

- CVE-2021-21695 (arbitrary filesystem access)

A security issue has been found in Jenkins before version 2.319.
FilePath#listFiles lists files outside directories with agent read
access when following symbolic links. This allows agent processes to
read and write arbitrary files on the Jenkins controller file system,
and obtain some information about Jenkins controller file systems.

- CVE-2021-21696 (sandbox escape)

Jenkins before version 2.319 does not limit agent read/write access to
the libs/ directory inside build directories when using the FilePath
APIs. This directory is used by the "Pipeline: Shared Groovy Libraries"
Plugin to store copies of shared libraries.

This allows attackers in control of agent processes to replace the code
of a trusted library with a modified variant, resulting in unsandboxed
code execution in the Jenkins controller process.

Jenkins 2.319 prohibits agent read/write access to the libs/ directory
inside build directories.

- CVE-2021-21697 (arbitrary filesystem access)

Agents are allowed some limited access to files on the Jenkins
controller file system. The directories agents are allowed to access in
Jenkins before 2.319 include the directories storing build-related
information, intended to allow agents to store build-related metadata
during build execution. As a consequence, this allows any agent to read
and write the contents of any build directory stored in Jenkins with
very few restrictions (build.xml and some Pipeline-related metadata).

Jenkins 2.319 prevents agents from accessing contents of build
directories unless it’s for builds currently running on the agent
attempting to access the directory.

Impact
======

Agent processes could read and write arbitrary files on the Jenkins
controller file system, and obtain some information about Jenkins
controller file systems.

References
==========

https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455
https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2423
https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428
https://security.archlinux.org/CVE-2021-21685
https://security.archlinux.org/CVE-2021-21686
https://security.archlinux.org/CVE-2021-21687
https://security.archlinux.org/CVE-2021-21688
https://security.archlinux.org/CVE-2021-21689
https://security.archlinux.org/CVE-2021-21690
https://security.archlinux.org/CVE-2021-21691
https://security.archlinux.org/CVE-2021-21692
https://security.archlinux.org/CVE-2021-21693
https://security.archlinux.org/CVE-2021-21694
https://security.archlinux.org/CVE-2021-21695
https://security.archlinux.org/CVE-2021-21696
https://security.archlinux.org/CVE-2021-21697

ArchLinux: 202111-1: jenkins: multiple issues

November 9, 2021
The package jenkins before version 2.319-1 is vulnerable to multiple issues including arbitrary filesystem access and sandbox escape

Summary

- CVE-2021-21685 (arbitrary filesystem access)
A security issue has been found in Jenkins before version 2.319. FilePath#mkdirs does not check permission to create parent directories. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.
- CVE-2021-21686 (arbitrary filesystem access)
A security issue has been found in Jenkins before version 2.319. File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.
- CVE-2021-21687 (arbitrary filesystem access)
A security issue has been found in Jenkins before version 2.319. FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.
- CVE-2021-21688 (arbitrary filesystem access)
A security issue has been found in Jenkins before version 2.319. FilePath#reading(FileVisitor) does not reject any operations, allowing users to have unrestricted read access using certain operations (creating archives, #copyRecursiveTo). This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.
- CVE-2021-21689 (arbitrary filesystem access)
A security issue has been found in Jenkins before version 2.319. FilePath#unzip and FilePath#untar were not subject to any access control. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.
- CVE-2021-21690 (arbitrary filesystem access)
A security issue has been found in Jenkins before version 2.319. Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.
- CVE-2021-21691 (arbitrary filesystem access)
A security issue has been found in Jenkins before version 2.319. Creating symbolic links is possible without the symlink permission. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.
- CVE-2021-21692 (arbitrary filesystem access)
A security issue has been found in Jenkins before version 2.319. The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.
- CVE-2021-21693 (arbitrary filesystem access)
A security issue has been found in Jenkins before version 2.319. When creating temporary files, permission to create files is only checked after they’ve been created. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.
- CVE-2021-21694 (arbitrary filesystem access)
A security issue has been found in Jenkins before version 2.319. FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.
- CVE-2021-21695 (arbitrary filesystem access)
A security issue has been found in Jenkins before version 2.319. FilePath#listFiles lists files outside directories with agent read access when following symbolic links. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.
- CVE-2021-21696 (sandbox escape)
Jenkins before version 2.319 does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs. This directory is used by the "Pipeline: Shared Groovy Libraries" Plugin to store copies of shared libraries.
This allows attackers in control of agent processes to replace the code of a trusted library with a modified variant, resulting in unsandboxed code execution in the Jenkins controller process.
Jenkins 2.319 prohibits agent read/write access to the libs/ directory inside build directories.
- CVE-2021-21697 (arbitrary filesystem access)
Agents are allowed some limited access to files on the Jenkins controller file system. The directories agents are allowed to access in Jenkins before 2.319 include the directories storing build-related information, intended to allow agents to store build-related metadata during build execution. As a consequence, this allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions (build.xml and some Pipeline-related metadata).
Jenkins 2.319 prevents agents from accessing contents of build directories unless it’s for builds currently running on the agent attempting to access the directory.

Resolution

Upgrade to 2.319-1.
# pacman -Syu "jenkins>=2.319-1"
The problems have been fixed upstream in version 2.319.

References

https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455 https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2423 https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428 https://security.archlinux.org/CVE-2021-21685 https://security.archlinux.org/CVE-2021-21686 https://security.archlinux.org/CVE-2021-21687 https://security.archlinux.org/CVE-2021-21688 https://security.archlinux.org/CVE-2021-21689 https://security.archlinux.org/CVE-2021-21690 https://security.archlinux.org/CVE-2021-21691 https://security.archlinux.org/CVE-2021-21692 https://security.archlinux.org/CVE-2021-21693 https://security.archlinux.org/CVE-2021-21694 https://security.archlinux.org/CVE-2021-21695 https://security.archlinux.org/CVE-2021-21696 https://security.archlinux.org/CVE-2021-21697

Severity
CVE-ID : CVE-2021-21685 CVE-2021-21686 CVE-2021-21687 CVE-2021-21688
CVE-2021-21689 CVE-2021-21690 CVE-2021-21691 CVE-2021-21692
CVE-2021-21693 CVE-2021-21694 CVE-2021-21695 CVE-2021-21696
CVE-2021-21697
Package : jenkins
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-2526

Impact

Agent processes could read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.

Workaround

If you are unable to immediately upgrade to Jenkins 2.319 right away, prevent all agent-to-controller file access using FilePath APIs. Because it is more restrictive than Jenkins 2.319, more plugins are incompatible with it. Make sure to read the plugin documentation before installing it.

Related News

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.