https://bugzilla.redhat.com/show_bug.cgi?id=1335415
Bug ID: 1335415
Summary: CVE-2016-3721 jenkins: Arbitrary build parameters are
passed to build scripts as environment variables
(SECURITY-170)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: abhgupta(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jialiu(a)redhat.com, jkeck(a)redhat.com,
joelsmith(a)redhat.com, jokerman(a)redhat.com,
kseifried(a)redhat.com, lmeyer(a)redhat.com,
mizdebsk(a)redhat.com, mmccomas(a)redhat.com,
msrb(a)redhat.com, tdawson(a)redhat.com,
tiwillia(a)redhat.com
The following flaw was found in Jenkins:
Build parameters in Jenkins typically are passed to build scripts as
environment variables. Some plugins allow passing arbitrary (undeclared)
parameters. Depending on access permissions and installed plugins, malicious
users were able to trigger builds, passing arbitrary environment variables
(e.g. PATH) to modify the behavior of those builds. Rather than expect all
plugin authors to be aware of this potential problem, Jenkins now filters the
build parameters based on what is defined on the job.
As this change is known to affect a number of plugins, it's possible to restore
the previous behavior by setting the system property
hudson.model.ParametersAction.keepUndefinedParameters to true. This is
potentially very unsafe and intended as a short-term workaround only.
To allow specific, known safe parameter names to be passed to builds, set the
system property hudson.model.ParametersAction.safeParameters to a
comma-separated list of safe parameter names. Example:
java -Dhudson.model.ParametersAction.safeParameters=FOO,BAR_BAZ,qux -jar
jenkins.war
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20...
--
You are receiving this mail because:
You are on the CC list for the bug.