Bug 1669508 (CVE-2019-1003002)

Summary: CVE-2019-1003002 jenkins-plugin-pipeline-model-definition: Sandbox Bypass in Pipeline: Declarative
Product: [Other] Security Response Reporter: Paul Harvey <pharvey>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abenaiss, ahardin, aos-bugs, bleanhar, bmontgom, ccoleman, dedgar, eparis, jburrell, jgoulding, jokerman, mchappel, mmccomas, nstielau, obulatov, pbhattac, sponnaga, vbobade, wzheng
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pipeline-model-definition-plugin 1.3.4.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Jenkins Pipeline. Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. This allows users with Overall/Read permission, or able to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins master. All known unsafe AST transformations in Groovy are now prohibited in sandboxed scripts. Both the pipeline validation REST APIs and actual script/pipeline execution are affected. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-26 16:36:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1669522, 1669523, 1669524, 1669525, 1669526, 1671214    
Bug Blocks: 1667569    

Description Paul Harvey 2019-01-25 14:17:13 UTC 
A flaw was found in Pipeline: Declarative Plugin before version 1.3.4.1, Pipeline: Groovy Plugin before version 2.61.1 and Script Security Plugin before version 1.50. Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. Both the pipeline validation REST APIs and actual script/pipeline execution are affected. This allowed users with Overall/Read permission, or able to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins master. All known unsafe AST transformations in Groovy are now prohibited in sandboxed scripts.


References:
https://jenkins.io/security/advisory/2019-01-08/

Upstream patches:
https://github.com/jenkinsci/pipeline-model-definition-plugin/commit/083abd96e68fd89f556a0cd53db5f878dbf09b92
Comment 3 Paul Harvey 2019-01-31 06:34:07 UTC 
openshift-enterprise-3.2, openshift-enterprise-3.3, openshift-enterprise-3.4: notaffected. jenkins-plugin-pipeline-model-definition is not included in any of:
- containers/openshift-jenkins:rhaos-3.2-rhel-7
- containers/openshift-jenkins:rhaos-3.3-rhel-7
- containers/openshift-jenkins-2:rhaos-3.3-rhel-7
- containers/openshift-jenkins:rhaos-3.4-rhel-7
- containers/openshift-jenkins-2:rhaos-3.4-rhel-7
- containers/openshift-jenkins:rhaos-3.5-rhel-7

Once openshift3/jenkins-1-rhel7 and openshift3/jenkins-2-rhel7 container images have been released with these fixes, users of all versions of openshift-enterprise-3.5+ are encouraged to update these container images in their environment.
Comment 4 Paul Harvey 2019-01-31 06:50:16 UTC 
External References:

https://jenkins.io/security/advisory/2019-01-08/
Comment 5 Vibhav Bobade 2020-08-26 16:36:16 UTC 
Closing as bug is obsolete and this plugin is not used anymore