Bug 1471064 – CVE-2017-1000096 jenkins-plugin-workflow-cps: Arbitrary code execution due to incomplete sandbox protection (SECURITY-551)

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1471064 - (CVE-2017-1000096) CVE-2017-1000096 jenkins-plugin-workflow-cps: Arbitrary code execution due to incomplete sandbox protection (SECURITY-551)

Summary:	CVE-2017-1000096 jenkins-plugin-workflow-cps: Arbitrary code execution due to...

Status:	CLOSED WONTFIX

Aliases:	CVE-2017-1000096

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,public=20170710,repo...
Keywords:	Security

Depends On:	1472033
Blocks:	1471067
	Show dependency tree / graph

Reported:	2017-07-14 06:38 EDT by Adam Mariš
Modified:	2017-08-18 01:22 EDT (History)
CC List:	9 users (show)

See Also:
Fixed In Version:	jenkins-plugin-workflow-cps 2.36.1
Doc Type:	If docs needed, set a value
Doc Text:	The jenkins-plugin-script-security has incomplete sandbox protection which allows attackers to execute arbitrary code via constructors, instance variable initializers, and instance initializers in Pipeline scripts. Exploitation of this requires the attacker to have permission to configure Pipelines in Jenkins or be a trusted committers to repositories containing Jenkinsfiles and for that Jenkins instance to be hosting other projects as well that the attacker should not have access to.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-08-14 12:43:03 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Adam Mariš 2017-07-14 06:38:16 EDT

Pipelines are subject to script security: Either the entire Pipeline needs to be approved, or it runs in a sandbox, with only whitelisted methods etc. allowed to be called.

Constructors, instance variable initializers, and instance initializers in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code.

This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles.

External References:

https://jenkins.io/security/advisory/2017-07-10/

Comment 1 Adam Mariš 2017-07-14 06:38:33 EDT

Acknowledgments:

Name: the Jenkins project
Upstream: Simon St John, Green

Comment 3 Trevor Jay 2017-08-14 12:43:03 EDT

Statement:

This issue affects the versions of jenkins-plugin-workflow-cps  as shipped with Red Hat OpenShift Enterprise 3. However, this flaw is of low impact under the supported scenarios in OpenShift Enterprise 3. A future update may address this issue.

Note You need to log in before you can comment on or make changes to this bug.