Jenkins integration server suffers security vulnerabilities
- 17 September, 2012 20:48
Jenkins, the open source continuous integration server that forked out of Oracle's Hudson project, is facing several security vulnerabilities Monday, with the Jenkins project leader recommending upgrades to the Jenkins core and some plug-ins to fix the problems.
A security advisory posted by project leader Kohsuke Kawaguchi cites four vulnerabilities, including two affecting the Jenkins core. The first vulnerability has been deemed critical. "The first vulnerability in Jenkins core allows unprivileged users to insert data into Jenkins master, which can lead to remote code execution. For this vulnerability to be exploited, the attacker must have an HTTP access to a Jenkins master, and he must have a read access to Jenkins," the security advisory said.
[ Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. ]
The second vulnerability in the core involves a cross-site scripting vulnerability, allowing an attacker to craft a URL that points to Jenkins, with an attacker able to hijack a legitimate user's session. Two other vulnerabilities, also involving cross-site scripting, affect the Violations and Continuous Integration Game plugins. The Violations plug-in scans for violation XML files in the build workspace; the Game plug-in offers tips on improving builds.
To fix the core vulnerabilities, main line users should upgrade to Jenkins 1.482, and LTS (Long-Term Support) users should upgrade to version 1.466.2. To fix the Violations plug-in, users are to upgrade to version 0.7.11 or later, while the CI game plug-in can be remedied by upgrading to 1.19 or later.
Kawaguchi said the fixes plug all known holes. "However, the nature of this game is such that someone will find a new vulnerability --- it's just a matter of when. So we encourage users, especially those who run Jenkins in a higher-risk environment (on the public Internet, in a security sensitive environment, etc.), to monitor security advisories by subscribing to the mailing list or an RSS feed."
He assuaged fears about the vulnerabilities, noting limitations. "Those who are running Jenkins inside a corporate firewall, which I think are the majority, [have] a mitigating factor, because one of the vulnerabilities requires an attacker to have an HTTP access to the Jenkins master and the other vulnerability requires the attacker to know the URL of your Jenkins. So it pretty much requires an attacker to be an insider." But he added, "Nonetheless, we recommend everyone to update to a version that contains the fix in a timely fashion."
Hudson forked out of Project Hudson in the wake of Oracle's 2010 acquisition of Sun Microsystems. Oracle has since handed Hudson over to the Eclipse Foundation.
This article, "Jenkins integration server suffers security vulnerabilities," was originally published at InfoWorld.com. Follow the latest developments in business technology news and get a digest of the key stories each day in the InfoWorld Daily newsletter. For the latest developments in business technology news, follow InfoWorld.com on Twitter.
Read more about security in InfoWorld's Security Channel.
Join the Computerworld Australia group on Linkedin. The group is open to IT Directors, IT Managers, Infrastructure Managers, Network Managers, Security Managers, Communications Managers.
- Research firm Radicati names Google Apps for Business the leader in cloud business email
- CISO 2013 Security Insights: A new standard for security leaders
- Top 20 Critical Security Controls - Compliance Guide
- Software Defined Protection - The Enterprise Security Blueprint
- The F5 DDoS Protection Reference Architecture part 1 of 3
NBN Co hits 105Mbps in limited FTTN trial
Microsoft puts the squeeze on Windows to shoehorn it into 16GB devices
Adobe patches a critical flaw in Flash Player and AIR shown at Pwn2Own contest
NAB says goodbye to Bitcoin traders
Samsung's lawyers try to put a human face on Android