Jenkins Security Advisory 2014-10-30
This advisory announces a security vulnerability/hardening (CVE-2014-3665) in Jenkins core.
Historically, Jenkins master and slaves behaved as if they altogether form a single distributed process. This means a slave can ask a master to do just about anything within the confinement of the operating system, such as accessing files on the master or trigger other jobs on Jenkins. This has increasingly become problematic, as larger enterprise deployments have developed more sophisticated trust separation model, where the administators of a master might take slaves owned by other teams. In such an environment, slaves are less trusted than the master. Yet the “single distributed process” assumption was not communicated well to the users, resulting in vulnerabilities in some deployments. SECURITY-144 (CVE-2014-3665) introduces a new subsystem to address this problem. This feature is off by default for compatibility reasons. See Wiki for more details, who should turn this on, and implications.
CVE-2014-3566 is rated high. It only affects installations that accept slaves from less trusted computers, but this will allow an owner of of such slave to mount a remote code execution attack on Jenkins.
The following versions are affected, but only if you connect slaves that are managed by less trusted users. Affected users on those versions should upgrade to the following versions:
- All the main line releases < 1.587 should upgrade to 1.587
- All the LTS releases < 1.580.1 should upgrade to 1.580.1
- Jenkins Enterprise by CloudBees releases 1.532.x should upgrade to 1.532.11.1
- Jenkins Enterprise by CloudBees releases 1.554.x should upgrade to 1.554.11.1
- Jenkins Enterprise by CloudBees releases 1.565.x should upgrade to 1.565.11.1
- Jenkins Operations Center by CloudBees releases 1.554.x should upgrade to 1.554.11.1
DEV@cloud has this fix already rolled out. This should not affect your use, but if you suspect any regressions, please open a support ticket.