Bug 1326403 (CVE-2016-3102)

Summary: CVE-2016-3102 jenkins: Groovy sandbox protection incomplete in Script Security Plugin (SECURITY-258)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, bleanhar, ccoleman, dmcphers, java-sig-commits, jialiu, jkeck, joelsmith, jokerman, kseifried, lmeyer, mizdebsk, mmccomas, msrb, tiwillia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Jenkins 1.17., Jenkins 1.18.1. Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-04 18:46:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1326407, 1326408    
Bug Blocks: 1326405    

Description Adam Mariš 2016-04-12 15:18:19 UTC 
The following flaw was found in Jenkins:

The Script Security plugin provides a Groovy sandbox implementation to other plugins that only allows whitelisted commands to be executed. This sandbox did not cover direct field access (foo.@bar) or get/set array operations (foo[bar]).

External References:

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-04-11
Comment 2 Adam Mariš 2016-04-12 15:21:39 UTC 
Created jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1326408]
Comment 3 Kurt Seifried 2016-05-04 18:46:11 UTC 
These are in Jenkins plugins that do not ship with OpenShift Enterprise.
Comment 4 Fedora Update System 2016-05-17 15:13:42 UTC 
jenkins-1.651.1-1.fc24, jenkins-credentials-plugin-1.27-1.fc24, jenkins-junit-plugin-1.12-1.fc24, jenkins-mailer-plugin-1.17-1.fc24, jenkins-remoting-2.57-1.fc24, jenkins-script-security-plugin-1.18.1-1.fc24, owasp-java-html-sanitizer-20160422.1-1.fc24, stapler-1.242-1.fc24, tiger-types-2.2-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.