Bug 1668345 (CVE-2019-1003003)

Summary: CVE-2019-1003003 jenkins: cookie crafted using Jenkins script console allows unauthorised access to Jenkins instance
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abenaiss, adam.kaplan, ahardin, aos-bugs, bleanhar, bmontgom, bparees, ccoleman, dedgar, eparis, gmontero, java-sig-commits, jburrell, jgoulding, jokerman, mchappel, mizdebsk, mmccomas, msrb, nstielau, obulatov, pbhattac, psampaio, sponnaga, vbobade, wzheng
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Jenkins weekly 2.160, Jenkins LTS 2.150.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-05 03:05:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1668446    
Bug Blocks: 1668794    

Description msiddiqu 2019-01-22 13:43:53 UTC 
Users with the Overall/RunScripts permission (typically administrators) were able to use the Jenkins script console to craft a 'Remember me' cookie that would never expire. This allowed attackers access to a Jenkins instance while the corresponding user in the configured security realm exists, for example to persist access after another successful attack.
Comment 1 msiddiqu 2019-01-22 13:44:25 UTC 
Created jenkins tracking bugs for this issue:

Affects: fedora-28 [bug 1668346]
Comment 2 msiddiqu 2019-01-22 13:45:34 UTC 
External References:

https://jenkins.io/security/advisory/2019-01-16/
Comment 3 msiddiqu 2019-01-22 18:38:10 UTC 
Created jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1668446]
Comment 4 Gabe Montero 2019-03-05 03:05:26 UTC 
The v3.11 image has already been released with 2.150.2.  Customers should look for:

registry.access.redhat.com/openshift3/jenkins-2-rhel7   v3.11               19080d270283        2 weeks ago         1.42GB

and the 4.0 image is shipping with 2.150.2

Per strategy for jenkins security advisories, we are only updating 3.11.x and 4.x.  Instructions for how older 3.x clusters
can use the 3.11.x image are at https://github.com/openshift/jenkins#jenkins-security-advisories-the-master-image-from-this-repository-and-the-oc-binary
Comment 5 Sam Fowler 2019-04-24 00:47:30 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHBA-2019:0326 https://access.redhat.com/errata/RHBA-2019:0326