Devs urged to keep their CI pipeline in order

Jenkins plugins impacted by security flaws

The Jenkins project has released a security advisory urging developers to patch an assortment of vulnerabilities found in plugins used by the open source automation server.

Fixes have been issued for several vulnerabilities of ‘medium’ to ‘high’ severity that impact Jenkins plugins.

The most popular plugins affected have around 25,000 reported installations, according to the security advisory pre-announcement from Wadeck Follonier of the Jenkins project.

Impacted Jenkins plugin include Amazon EC2 Plugin, Gitlab Hook Plugin, Health Advisor by CloudBees Plugin, Redgate SQL Change Automation Plugin, Robot Framework Plugin, and Sounds Plugin.

“All prior [plugin] versions are considered to be affected by these vulnerabilities unless otherwise indicated,” said the advisory, published yesterday (January 15).

Users are advised to update to the latest plugin versions, which have the highlighted vulnerabilities mitigated.

An XML External Entity (XXE) flaw, for instance, exists in the Robot Framework Plugin, a test suite for robotic process automation that has 7,743 installs, according to the Jenkins plugin site.

“This allows a user [to be] able to control the input files for the Publish Robot Framework post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks,” the advisory said, rating the vulnerability, CVE-2020-2092, as ‘high’ severity.

The latest version of the plugin, 2.0.1, prevents XXE attacks by “disabling external entity resolution for its XML parser”, the advisory added.

Jenkins is an open source automation server that helps developers build, test, and navigate their builds. The DevOps platform is used by a reported 15 million developers around the world.

Plugins assist the server in achieving continuous integration (CI) throughout an organization’s development cycle across multiple platforms, and offer flexibility based on the diversity of add-ons available.

“We strive to fix all security vulnerabilities in Jenkins and plugins in a timely manner,” the Jenkins project states on its website.

“However, the structure of the Jenkins project, which gives plugin maintainers a lot of autonomy, and the number and diversity of plugins make this impossible.”

If a plugin is vulnerable, the Jenkins project contacts the relevant maintainer and asks for a fix. In the case of no fixes, a security advisory is published with suggested workarounds. The plugin will no longer be published if the vulnerability is considered severe, as well.

“With a plugin ecosystem as big as Jenkins’, with more than 1,500 plugins, some maintainers are able to respond more quickly than others,” Daniel Beck, security officer at the Jenkins project, told The Daily Swig.

“For example, security fixes for Pipeline/Script Security related vulnerabilities – that affect many users – are typically delivered within just 2-3 weeks.

“Most issues are published within three months of being reported,” he added.

There are currently no fixes available for security bugs impacting Gitlab Hook and Sounds – plugins with 15,109 and 830 installs, respectively. Sounds Plugin has a fix in development, Beck said.

“The originally reported severity was quite a bit lower than what it ended up being, so we decided to announce the problem now rather than wait for the fix to be available,” he said.

The Gitlab Hook Plugin, versions 1.4.2 and earlier, has a cross-site scripting vulnerability (XSS), which could allow an attacker to perform actions as the user due to an issue in the plugin’s build_now endpoint.

Users are recommended to stop using this plugin.

“GitLab Hook depends on an outdated runtime that is on course for planned deprecation and removal from distribution,” Beck said.

“It is likely this plugin will be removed fairly soon regardless.”

Full details of the vulnerabilities can be found on the Jenkins Security Advisory.

The Daily Swig has reached out to the Jenkins Project for additional comment.

YOU MIGHT ALSO LIKE Free tool makes it easy for researchers to ‘pillage’ Jenkins server data