Bug 1620354 – CVE-2018-1999047 jenkins: Unauthorized users could cancel scheduled restarts initiated from the update center

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1620354 - (CVE-2018-1999047) CVE-2018-1999047 jenkins: Unauthorized users could cancel scheduled restarts initiated from the update center

Summary:	CVE-2018-1999047 jenkins: Unauthorized users could cancel scheduled restarts ...

Status:	NEW

Aliases:	CVE-2018-1999047

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20180815,reported=2...
Keywords:	Security

Depends On:	1620355
Blocks:	1620339
	Show dependency tree / graph

Reported:	2018-08-23 00:45 EDT by Sam Fowler
Modified:	2018-10-31 03:08 EDT (History)
CC List:	13 users (show)

See Also:
Fixed In Version:	jenkins 2.121.3, jenkins 2.138
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Sam Fowler 2018-08-23 00:45:10 EDT

Jenkins before LTS version 2.121.3 and weekly version 2.138 allow unauthorized users to cancel scheduled restarts initiated from the update center.

Users with Overall/Read permission were able to access the URL used to cancel scheduled restart jobs initiated via the update center ("Restart Jenkins when installation is complete and no jobs are running") due to a lack of permission checks.


External Reference:

https://jenkins.io/security/advisory/2018-08-15/#SECURITY-1076

Comment 1 Sam Fowler 2018-08-23 00:46:06 EDT

Created jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1620355]

Comment 2 Jason Shepherd 2018-10-31 03:06:55 EDT

By default Jenkins doesn't setup users with just Overall/Read permission. It's possible to setup such users but it's best not to rely on Agent/Connect permission to prevent cancellation of restart jobs because of this issue on OpenShift Container Platform 3.10 and earlier.

Upgrade to OpenShift Container Platform 3.11 to pick up a fix for this issue.

Note You need to log in before you can comment on or make changes to this bug.