lolloj - Fotolia

Don't let plugins open up more Jenkins vulnerabilities

Let's explore the Blue Ocean, Config File Provider and Groovy plugins with security vulnerabilities. Here's how to address them, and what could happen if you don't.

With every new software development project, there comes the reality that new bugs may be introduced into the system, especially when that new project integrates with a number of other important facets of the tool.

Let's explore three potential Jenkins vulnerabilities with Blue Ocean, Config File Provider and Groovy plugins, how a developer can identify the root cause of these issues and ideally stop them from happening in their development environment.

Blue Ocean plugin

The Blue Ocean plugin for Jenkins is dependent on the required git pipeline and GitHub pipeline plugins that are used to execute a group of jobs in stages. With Blue Ocean, a user can create easier automation of CD pipelines through the visualization of C pipelines and pipeline editors. The visualization helps Jenkins DevOps team members to locate issues and collaborate with others on potential resolutions for a particular project.

The older versions of Blue Ocean allow an attacker with low privileges to exploit cross-site request forgery (CSRF). High privileges are required for the attacker to exploit cross-site scripting (XSS) vulnerabilities. These are medium severity Jenkins vulnerabilities, and come with CVSS (Common Vulnerability Scoring System) ratings of 4.2 and 4.8 respectively, on a 0-10 scale, with 0.0 as no severity and 10.0 as a critical severity.

Blue Ocean now requires that valid CSRF tokens are present in POST requests. The plugin also properly escapes HTML/JavaScript content set on the current user's description field. The best way to upgrade to a new version is to update the main Blue Ocean plugin because it will upgrade all dependencies and libraries.

Config File Provider plugin

Users can choose to let Jenkins automatically provide and deploy configuration files before a build starts. Through Jenkins UI, users can edit and administrate the following file types:

  • Maven settings.xml
  • Plain XML
  • Groovy
  • JSON (JavaScript Object Notation)
  • Plain text

But, note that binary files aren't supported because they aren't readable by humans and make sure that you've configured Maven before it's used as a build component of a Jenkins DevOps pipeline.

The required Token Macro plugin dependency is vulnerable and if not fixed, it may cause the Config File Provider plugin to misbehave. Config File Provider also depends on the Credentials and SSH Credentials plugins. The Maven settings.xml file type has built-in support for the Credentials plugin and after you install the Config File Provider plugin, a new Credentials Specification will become available.

The older plugin versions aren't safe because they improperly handled script file names in the JavaScript-based UI, which results in CSRF and XSS vulnerabilities. An attacker with Overall/Read access could view and edit configuration files in Jenkins pipelines. This is a medium security Jenkins vulnerability with a CVSS rating of 4.8.

Groovy plugin

The Groovy plugin has a form-validating HTTP endpoint with a form used to validate a user-submitted Groovy script through compilation protected by a sandbox. The user shouldn't select the default option to configure a Groovy installation because it puts Groovy binary on the default path on a given machine.

Groovy is dependent on the required Security Script plugin that was found to have vulnerabilities reported in the Jenkins Security Advisory dated 2019-01-28. New vulnerabilities were also reported in the advisory dated 2019-02-19.

The Token Macro plugin is supported as an optional dependency. By default, the Token Macro plugin support is switched off and has to be turned on in the global configuration page.

If you allow token macro processing, the macro evaluation is done in System Groovy and implies that any user can run an arbitrary system script, regardless of whether or not they have administrator permission.

Be aware that an attacker could exploit recursively applied token expansion. Malicious expansion could lead to information exposure and, in the worst scenario, a denial of service.

In older versions of the Groovy plugin, the HTTP endpoint didn't use a safe Groovy compiler configuration. A developer would need to script a security sandbox around the compiler to keep it protected. Otherwise, an attacker could gain access to the system and execute arbitrary code on the Jenkins master using Abstract Syntax Tree transformations. This vulnerability came with a CVSS rating of 8.8.

Dig Deeper on Development tools for continuous software delivery