Bug 1669505 (CVE-2019-1003001)

Summary: CVE-2019-1003001 jenkins-plugin-workflow-cps: Sandbox Bypass in Pipeline: Groovy Plugin
Product: [Other] Security Response Reporter: Paul Harvey <pharvey>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abenaiss, ahardin, aos-bugs, bleanhar, bmontgom, bparees, ccoleman, dedgar, eparis, jburrell, jgoulding, jokerman, mchappel, mmccomas, nstielau, obulatov, pbhattac, sponnaga, vbobade, wzheng
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: workflow-cps-plugin 2.61.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Jenkins Pipeline. In the Declarative plugin, the script sandbox protection could be circumvented during the script compilation phase by applying AST. Both the pipeline validation REST APIs and the actual script/pipeline execution are affected. This allows users with Overall/Read permissions, or those able to control Jenkinsfile or the sandboxed Pipeline shared library contents in SCM, to bypass sandbox protection and execute arbitrary code on the Jenkins master. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-26 16:34:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1669516, 1669517, 1669518, 1669519, 1669520, 1669521, 1669522, 1671214    
Bug Blocks: 1667569    

Description Paul Harvey 2019-01-25 14:09:59 UTC 
A flaw was found in Pipeline: Declarative Plugin before version 1.3.4.1, Pipeline: Groovy Plugin before version 2.61.1 and Script Security Plugin before version 1.50. Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. Both the pipeline validation REST APIs and actual script/pipeline execution are affected. This allowed users with Overall/Read permission, or able to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins master.

References:
https://jenkins.io/security/advisory/2019-01-08/

Upstream patches:
https://github.com/jenkinsci/workflow-cps-plugin/commit/d09583eda7898eafdd15297697abdd939c6ba5b6
Comment 3 Paul Harvey 2019-01-31 06:28:37 UTC 
openshift-enterprise-3.2: affected
- containers/openshift-jenkins:rhaos-3.2-rhel-7 in contrib/openshift/base-plugins.txt contains hits for script-security:1.19, workflow-cps:2.6

openshift-enterprise-3.3: affected
- containers/openshift-jenkins:rhaos-3.3-rhel-7 in contrib/openshift/base-plugins.txt contains hits for script-security:1.19, workflow-cps:2.6
- containers/openshift-jenkins-2:rhaos-3.3-rhel-7 in contrib/openshift/base-plugins.txt contains hits for script-security:1.19, workflow-cps:2.6

Once openshift3/jenkins-1-rhel7 and openshift3/jenkins-2-rhel7 container images have been released with these fixes, users of all versions of openshift-enterprise-3.2+ are encouraged to update these container images in their environment.
Comment 4 Paul Harvey 2019-01-31 06:50:01 UTC 
External References:

https://jenkins.io/security/advisory/2019-01-08/
Comment 5 Vibhav Bobade 2020-08-26 16:34:44 UTC 
Closing as it is obsolete