Bug 1647059 (CVE-2018-1000865, CVE-2018-1000866)

Summary: CVE-2018-1000865 CVE-2018-1000866 jenkins-plugin-script-security: Sandbox Bypass in finalize methods
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ahardin, aos-bugs, bleanhar, bparees, ccoleman, dedgar, eparis, java-sig-commits, jgoulding, jokerman, mchappel, mizdebsk, msrb, nsl, wzheng
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jenkins-plugin-script-security 1.48 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 22:21:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1647060, 1648217, 1648218, 1648788, 1648789, 1648790, 1648791, 1648792, 1648793, 1648794, 1648795, 1648796, 1648797, 1648798, 1648799, 1648800, 1648801, 1648802, 1648803, 1648804, 1648805    
Bug Blocks: 1647061    

Description Laura Pardo 2018-11-06 15:36:41 UTC 
The Groovy Sandbox library used by Script Security Plugin and Pipeline Groovy Plugin did not apply sandbox restrictions to finalize methods. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection.

References:
https://jenkins.io/security/advisory/2018-10-29/

Upstream patches:

https://github.com/jenkinsci/script-security-plugin/commit/16c862ae9d4038a3edbd8bdfb0fd1401a509d56b

https://github.com/jenkinsci/workflow-cps-plugin/commit/e1c56eb6d85d513cb24dfe188e6f592d0ff84b38

https://github.com/jenkinsci/groovy-sandbox/commit/0cd7ec12b7c56cfa3167d99c5f43147ce05449d3
Comment 1 Laura Pardo 2018-11-06 15:37:12 UTC 
Created jenkins-script-security-plugin tracking bugs for this issue:

Affects: fedora-all [bug 1647060]
Comment 5 Paul Harvey 2018-11-12 06:55:13 UTC 
Mitigation:

Do not run untrusted jenkins pipeline scripts.
Comment 7 Nicholas Luedtke 2018-12-10 19:41:52 UTC 
This got split into two CVE's CVE-2018-1000865 and CVE-2018-1000866.