Bug 1542730 (CVE-2018-1000058)

Summary: CVE-2018-1000058 jenkins-plugin-workflow-support: Arbitrary code execution due to incomplete sandbox protection in Pipeline: Supporting APIs Plugin
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bleanhar, ccoleman, dedgar, dmcphers, jgoulding, jkeck, kseifried
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jenkins-plugin-workflow-support 2.18 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-16 03:03:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1542732    

Description Laura Pardo 2018-02-06 22:15:59 UTC 
A flaw was found in Jenkins Pipeline: Supporting APIs Plugin. Pipelines are subject to script security: Either the entire Pipeline needs to be approved, or it runs in a sandbox, with only whitelisted methods etc. allowed to be called. Methods related to Java deserialization like readResolve implemented in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles.


References:
https://jenkins.io/security/advisory/2018-02-05/ [SECURITY-699 / CVE-2018-1000058]