Bug 1656865 (CVE-2018-1000861)

Summary: CVE-2018-1000861 jenkins: code execution through crafted URLs (SECURITY-595)
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, ahardin, aos-bugs, bleanhar, bparees, ccoleman, dbaker, dedgar, eparis, java-sig-commits, jgoulding, jokerman, mchappel, mizdebsk, msrb, security-response-team, sfowler, sthangav, trankin, travi, wzheng
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jenkins 2.154, Jenkins LTS 2.138.4, Jenkins LTS 2.150.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1656866, 1657084, 1657085, 1657086, 1657087, 1657088, 1657089, 1657090, 1657091, 1657092, 1657093    
Bug Blocks: 1656867    

Description Laura Pardo 2018-12-06 14:33:06 UTC
A flaw was found in the way Jenkins uses the Stapler web framework for HTTP request handling. Stapler’s basic premise is that it uses reflective access to code elements matching its naming conventions. As these naming conventions closely match common code patterns in Java, accessing crafted URLs could invoke methods never intended to be invoked this way.


References:
https://jenkins.io/security/advisory/2018-12-05/

Comment 1 Laura Pardo 2018-12-06 14:33:33 UTC
Created jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1656866]

Comment 4 Jason Shepherd 2018-12-07 06:53:24 UTC
From upstream advisory:
As of publication of this advisory, we are aware of the following potential attacks in the latest Jenkins releases that do not yet contain this fix:

Unauthenticated users can invalidate all sessions
Users with Overall/Read permission could create new user objects in memory.
Users with Overall/Read access could manually kick off otherwise periodically executed runs of implementations of AsyncPeriodicWork.

Given the vast potential attack surface, we fully expect other attacks, that we are not currently aware of, to be possible on Jenkins releases that do not have this fix applied. This is reflected in the high score we assigned to this issue, rather than limiting the score to the impact through known issues.

Comment 5 Jason Shepherd 2018-12-07 06:53:39 UTC
Statement:

This vulnerability is only exploitable by a user with developer permissions. Therefore this vulnerability is rated Important for OpenShift Container Platform 3.x.

Comment 6 Gabe Montero 2018-12-07 15:12:41 UTC
PR https://github.com/openshift/jenkins/pull/749 created for 3.11

Comment 7 Gabe Montero 2018-12-10 04:38:07 UTC
The PR I mentioned has merged, updating our centos image.

Job https://buildvm.openshift.eng.bos.redhat.com:8443/job/devex/job/devex%252Fjenkins-bump-version/27/ updated
the RPM used in the 3.11 z stream to point to 2.138.4