Bug 1668736 (CVE-2019-1003004)

Summary: CVE-2019-1003004 jenkins: deleting a user record will does not invalidate existing sessions
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abenaiss, adam.kaplan, ahardin, aos-bugs, bleanhar, bmontgom, ccoleman, dedgar, eparis, gmontero, jburrell, jgoulding, jokerman, mchappel, mmccomas, nstielau, obulatov, pbhattac, sponnaga, vbobade, wzheng
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Jenkins weekly 2.160, Jenkins LTS 2.150.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-05 03:05:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1668446    
Bug Blocks: 1668794    

Description msiddiqu 2019-01-23 13:17:20 UTC 
When using an external security realm such as LDAP or Active Directory, deleting a user from the security realm does not result in the user losing access to Jenkins.

While deleting the user record from Jenkins did invalidate the 'Remember me' cookie, there was no way to invalidate active sessions besides restarting Jenkins or terminating sessions through other means, such as Monitoring Plugin.

Jenkins now encodes a per-user seed value in sessions, 'Remember me' cookies, and cached authentications of the remoting-based CLI, that can manually be reset by a user themselves, or an administrator, on the user’s configuration page. Doing so will invalidate all current sessions, 'Remember me' cookies, and cached CLI authentications, requiring credentials to be entered again to authenticate. Deleting a user record in Jenkins will now also invalidate existing sessions, as the current seed value is deleted as well.
Comment 1 msiddiqu 2019-01-23 13:19:25 UTC 
External References:

https://jenkins.io/security/advisory/2019-01-16/
Comment 2 msiddiqu 2019-01-23 13:39:02 UTC 
Created jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1668446]
Comment 3 Gabe Montero 2019-03-05 03:05:05 UTC 
The v3.11 image has already been released with 2.150.2.  Customers should look for:

registry.access.redhat.com/openshift3/jenkins-2-rhel7   v3.11               19080d270283        2 weeks ago         1.42GB

and the 4.0 image is shipping with 2.150.2

Per strategy for jenkins security advisories, we are only updating 3.11.x and 4.x.  Instructions for how older 3.x clusters
can use the 3.11.x image are at https://github.com/openshift/jenkins#jenkins-security-advisories-the-master-image-from-this-repository-and-the-oc-binary
Comment 4 Sam Fowler 2019-04-24 00:47:31 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHBA-2019:0326 https://access.redhat.com/errata/RHBA-2019:0326