https://bugzilla.redhat.com/show_bug.cgi?id=1668345
Bug ID: 1668345 Summary: CVE-2019-1003003 Jenkins: cookie crafted using Jenkins script console allows unauthorised access to Jenkins instance Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=moderate,public=20190116,reported=20190116,sour ce=oss-security,cvss3=6.6/CVSS:3.0/AV:N/AC:H/PR:H/UI:N /S:U/C:H/I:H/A:H,cwe=CWE-384->CWE-613,fedora-28/jenkin s=affected Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: msiddiqu@redhat.com CC: java-sig-commits@lists.fedoraproject.org, mizdebsk@redhat.com, msrb@redhat.com Target Milestone: --- Classification: Other
Users with the Overall/RunScripts permission (typically administrators) were able to use the Jenkins script console to craft a 'Remember me' cookie that would never expire. This allowed attackers access to a Jenkins instance while the corresponding user in the configured security realm exists, for example to persist access after another successful attack.
https://bugzilla.redhat.com/show_bug.cgi?id=1668345
msiddiqu@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1668346
--- Comment #1 from msiddiqu@redhat.com --- Created jenkins tracking bugs for this issue:
Affects: fedora-28 [bug 1668346]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1668346 [Bug 1668346] CVE-2019-1003003 jenkins: cookie crafted using Jenkins script console allows unauthorised access to Jenkins instance [fedora-28]
https://bugzilla.redhat.com/show_bug.cgi?id=1668345
--- Comment #2 from msiddiqu@redhat.com --- External References:
https://jenkins.io/security/advisory/2019-01-16/
https://bugzilla.redhat.com/show_bug.cgi?id=1668345
msiddiqu@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ahardin@redhat.com, | |aos-bugs@redhat.com, | |bleanhar@redhat.com, | |bparees@redhat.com, | |ccoleman@redhat.com, | |dedgar@redhat.com, | |eparis@redhat.com, | |jgoulding@redhat.com, | |jokerman@redhat.com, | |mchappel@redhat.com, | |wzheng@redhat.com Whiteboard|impact=moderate,public=2019 |impact=moderate,public=2019 |0116,reported=20190116,sour |0116,reported=20190116,sour |ce=oss-security,cvss3=6.6/C |ce=oss-security,cvss3=6.6/C |VSS:3.0/AV:N/AC:H/PR:H/UI:N |VSS:3.0/AV:N/AC:H/PR:H/UI:N |/S:U/C:H/I:H/A:H,cwe=CWE-38 |/S:U/C:H/I:H/A:H,cwe=CWE-38 |4->CWE-613,fedora-28/jenkin |4->CWE-613,fedora-all/jenki |s=affected |ns=affected,openshift-enter | |prise-4.0/jenkins=new,opens | |hift-enterprise-3.11/jenkin | |s=new,openshift-enterprise- | |3.2/jenkins=new,openshift-e | |nterprise-3.3/jenkins=new,o | |penshift-enterprise-3.4/jen | |kins=new,openshift-enterpri | |se-3.5/jenkins=new,openshif | |t-enterprise-3.6/jenkins=ne | |w,openshift-enterprise-3.7/ | |jenkins=new,openshift-enter | |prise-3.9/jenkins=new,opens | |hift-enterprise-3.10/jenkin | |s=new
https://bugzilla.redhat.com/show_bug.cgi?id=1668345
msiddiqu@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1668446
--- Comment #3 from msiddiqu@redhat.com --- Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1668446]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1668446 [Bug 1668446] CVE-2019-1003003 jenkins: cookie crafted using Jenkins script console allows unauthorised access to Jenkins instance [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1668345
msiddiqu@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|CVE-2019-1003003 Jenkins: |CVE-2019-1003003 jenkins: |cookie crafted using |cookie crafted using |Jenkins script console |Jenkins script console |allows unauthorised access |allows unauthorised access |to Jenkins instance |to Jenkins instance
https://bugzilla.redhat.com/show_bug.cgi?id=1668345
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Comment #2 is|1 |0 private| | CC| |psampaio@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1668345 Bug 1668345 depends on bug 1668346, which changed state.
Bug 1668346 Summary: CVE-2019-1003003 jenkins: cookie crafted using Jenkins script console allows unauthorised access to Jenkins instance [fedora-28] https://bugzilla.redhat.com/show_bug.cgi?id=1668346
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |DUPLICATE
https://bugzilla.redhat.com/show_bug.cgi?id=1668345
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On|1668346 |
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1668346 [Bug 1668346] CVE-2019-1003003 jenkins: cookie crafted using Jenkins script console allows unauthorised access to Jenkins instance [fedora-28]
https://bugzilla.redhat.com/show_bug.cgi?id=1668345
msiddiqu@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1668794
https://bugzilla.redhat.com/show_bug.cgi?id=1668345
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |adam.kaplan@redhat.com Whiteboard|impact=moderate,public=2019 |impact=moderate,public=2019 |0116,reported=20190116,sour |0116,reported=20190116,sour |ce=oss-security,cvss3=6.6/C |ce=oss-security,cvss3=6.6/C |VSS:3.0/AV:N/AC:H/PR:H/UI:N |VSS:3.0/AV:N/AC:H/PR:H/UI:N |/S:U/C:H/I:H/A:H,cwe=CWE-38 |/S:U/C:H/I:H/A:H,cwe=CWE-38 |4->CWE-613,fedora-all/jenki |4->CWE-613,fedora-all/jenki |ns=affected,openshift-enter |ns=affected,openshift-enter |prise-4.0/jenkins=new,opens |prise-4.0/jenkins=new,opens |hift-enterprise-3.11/jenkin |hift-enterprise-3.11/jenkin |s=new,openshift-enterprise- |s=notaffected,openshift-ent |3.2/jenkins=new,openshift-e |erprise-3.2/jenkins=new,ope |nterprise-3.3/jenkins=new,o |nshift-enterprise-3.3/jenki |penshift-enterprise-3.4/jen |ns=new,openshift-enterprise |kins=new,openshift-enterpri |-3.4/jenkins=new,openshift- |se-3.5/jenkins=new,openshif |enterprise-3.5/jenkins=new, |t-enterprise-3.6/jenkins=ne |openshift-enterprise-3.6/je |w,openshift-enterprise-3.7/ |nkins=new,openshift-enterpr |jenkins=new,openshift-enter |ise-3.7/jenkins=new,openshi |prise-3.9/jenkins=new,opens |ft-enterprise-3.9/jenkins=n |hift-enterprise-3.10/jenkin |ew,openshift-enterprise-3.1 |s=new |0/jenkins=new
https://bugzilla.redhat.com/show_bug.cgi?id=1668345
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2019 |impact=moderate,public=2019 |0116,reported=20190116,sour |0116,reported=20190116,sour |ce=oss-security,cvss3=6.6/C |ce=oss-security,cvss3=6.6/C |VSS:3.0/AV:N/AC:H/PR:H/UI:N |VSS:3.0/AV:N/AC:H/PR:H/UI:N |/S:U/C:H/I:H/A:H,cwe=CWE-38 |/S:U/C:H/I:H/A:H,cwe=CWE-38 |4->CWE-613,fedora-all/jenki |4->CWE-613,fedora-all/jenki |ns=affected,openshift-enter |ns=affected,openshift-enter |prise-4.0/jenkins=new,opens |prise-4.0/jenkins=notaffect |hift-enterprise-3.11/jenkin |ed,openshift-enterprise-3.1 |s=notaffected,openshift-ent |1/jenkins=notaffected,opens |erprise-3.2/jenkins=new,ope |hift-enterprise-3.2/jenkins |nshift-enterprise-3.3/jenki |=affected,openshift-enterpr |ns=new,openshift-enterprise |ise-3.3/jenkins=affected,op |-3.4/jenkins=new,openshift- |enshift-enterprise-3.4/jenk |enterprise-3.5/jenkins=new, |ins=affected,openshift-ente |openshift-enterprise-3.6/je |rprise-3.5/jenkins=affected |nkins=new,openshift-enterpr |,openshift-enterprise-3.6/j |ise-3.7/jenkins=new,openshi |enkins=affected,openshift-e |ft-enterprise-3.9/jenkins=n |nterprise-3.7/jenkins=affec |ew,openshift-enterprise-3.1 |ted,openshift-enterprise-3. |0/jenkins=new |9/jenkins=affected,openshif | |t-enterprise-3.10/jenkins=a | |ffected
https://bugzilla.redhat.com/show_bug.cgi?id=1668345
Gabe Montero gmontero@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |CURRENTRELEASE Last Closed| |2019-03-05 03:05:26
--- Comment #4 from Gabe Montero gmontero@redhat.com --- The v3.11 image has already been released with 2.150.2. Customers should look for:
registry.access.redhat.com/openshift3/jenkins-2-rhel7 v3.11 19080d270283 2 weeks ago 1.42GB
and the 4.0 image is shipping with 2.150.2
Per strategy for jenkins security advisories, we are only updating 3.11.x and 4.x. Instructions for how older 3.x clusters can use the 3.11.x image are at https://github.com/openshift/jenkins#jenkins-security-advisories-the-master-...
https://bugzilla.redhat.com/show_bug.cgi?id=1668345
--- Comment #5 from Sam Fowler sfowler@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 3.11
Via RHBA-2019:0326 https://access.redhat.com/errata/RHBA-2019:0326
https://bugzilla.redhat.com/show_bug.cgi?id=1668345
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |mmccomas@redhat.com, | |obulatov@redhat.com Whiteboard|impact=moderate,public=2019 |impact=moderate,public=2019 |0116,reported=20190116,sour |0116,reported=20190116,sour |ce=oss-security,cvss3=6.6/C |ce=oss-security,cvss3=6.6/C |VSS:3.0/AV:N/AC:H/PR:H/UI:N |VSS:3.0/AV:N/AC:H/PR:H/UI:N |/S:U/C:H/I:H/A:H,cwe=CWE-38 |/S:U/C:H/I:H/A:H,cwe=CWE-38 |4->CWE-613,fedora-all/jenki |4->CWE-613,fedora-all/jenki |ns=affected,openshift-enter |ns=affected,openshift-enter |prise-4.0/jenkins=notaffect |prise-4.1/jenkins=notaffect |ed,openshift-enterprise-3.1 |ed,openshift-enterprise-3.1 |1/jenkins=notaffected,opens |1/jenkins=notaffected,opens |hift-enterprise-3.2/jenkins |hift-enterprise-3.2/jenkins |=affected,openshift-enterpr |=affected,openshift-enterpr |ise-3.3/jenkins=affected,op |ise-3.3/jenkins=affected,op |enshift-enterprise-3.4/jenk |enshift-enterprise-3.4/jenk |ins=affected,openshift-ente |ins=affected,openshift-ente |rprise-3.5/jenkins=affected |rprise-3.5/jenkins=affected |,openshift-enterprise-3.6/j |,openshift-enterprise-3.6/j |enkins=affected,openshift-e |enkins=affected,openshift-e |nterprise-3.7/jenkins=affec |nterprise-3.7/jenkins=affec |ted,openshift-enterprise-3. |ted,openshift-enterprise-3. |9/jenkins=affected,openshif |9/jenkins=affected,openshif |t-enterprise-3.10/jenkins=a |t-enterprise-3.10/jenkins=a |ffected |ffected
https://bugzilla.redhat.com/show_bug.cgi?id=1668345
Dave Baker dbaker@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2019 |impact=moderate,public=2019 |0116,reported=20190116,sour |0116,reported=20190116,sour |ce=oss-security,cvss3=6.6/C |ce=oss-security,cvss3=6.6/C |VSS:3.0/AV:N/AC:H/PR:H/UI:N |VSS:3.0/AV:N/AC:H/PR:H/UI:N |/S:U/C:H/I:H/A:H,cwe=CWE-38 |/S:U/C:H/I:H/A:H,cwe=CWE-38 |4->CWE-613,fedora-all/jenki |4->CWE-613,fedora-all/jenki |ns=affected,openshift-enter |ns=affected,openshift-enter |prise-4.1/jenkins=notaffect |prise-4.1/jenkins=notaffect |ed,openshift-enterprise-3.1 |ed,openshift-enterprise-3.1 |1/jenkins=notaffected,opens |1/jenkins=notaffected,opens |hift-enterprise-3.2/jenkins |hift-enterprise-3.2/jenkins |=affected,openshift-enterpr |=wontfix,openshift-enterpri |ise-3.3/jenkins=affected,op |se-3.3/jenkins=wontfix,open |enshift-enterprise-3.4/jenk |shift-enterprise-3.4/jenkin |ins=affected,openshift-ente |s=wontfix,openshift-enterpr |rprise-3.5/jenkins=affected |ise-3.5/jenkins=wontfix,ope |,openshift-enterprise-3.6/j |nshift-enterprise-3.6/jenki |enkins=affected,openshift-e |ns=wontfix,openshift-enterp |nterprise-3.7/jenkins=affec |rise-3.7/jenkins=wontfix,op |ted,openshift-enterprise-3. |enshift-enterprise-3.9/jenk |9/jenkins=affected,openshif |ins=affected,openshift-ente |t-enterprise-3.10/jenkins=a |rprise-3.10/jenkins=affecte |ffected |d
https://bugzilla.redhat.com/show_bug.cgi?id=1668345
Dave Baker dbaker@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2019 |impact=moderate,public=2019 |0116,reported=20190116,sour |0116,reported=20190116,sour |ce=oss-security,cvss3=6.6/C |ce=oss-security,cvss3=6.6/C |VSS:3.0/AV:N/AC:H/PR:H/UI:N |VSS:3.0/AV:N/AC:H/PR:H/UI:N |/S:U/C:H/I:H/A:H,cwe=CWE-38 |/S:U/C:H/I:H/A:H,cwe=CWE-38 |4->CWE-613,fedora-all/jenki |4->CWE-613,fedora-all/jenki |ns=affected,openshift-enter |ns=affected,openshift-enter |prise-4.1/jenkins=notaffect |prise-4.1/jenkins=notaffect |ed,openshift-enterprise-3.1 |ed,openshift-enterprise-3.1 |1/jenkins=notaffected,opens |1/jenkins=notaffected,opens |hift-enterprise-3.2/jenkins |hift-enterprise-3.2/jenkins |=wontfix,openshift-enterpri |=wontfix,openshift-enterpri |se-3.3/jenkins=wontfix,open |se-3.3/jenkins=wontfix,open |shift-enterprise-3.4/jenkin |shift-enterprise-3.4/jenkin |s=wontfix,openshift-enterpr |s=wontfix,openshift-enterpr |ise-3.5/jenkins=wontfix,ope |ise-3.5/jenkins=wontfix,ope |nshift-enterprise-3.6/jenki |nshift-enterprise-3.6/jenki |ns=wontfix,openshift-enterp |ns=wontfix,openshift-enterp |rise-3.7/jenkins=wontfix,op |rise-3.7/jenkins=wontfix,op |enshift-enterprise-3.9/jenk |enshift-enterprise-3.9/jenk |ins=affected,openshift-ente |ins=wontfix,openshift-enter |rprise-3.10/jenkins=affecte |prise-3.10/jenkins=wontfix |d |
https://bugzilla.redhat.com/show_bug.cgi?id=1668345 Bug 1668345 depends on bug 1668446, which changed state.
Bug 1668446 Summary: CVE-2019-1003003 CVE-2019-1003004 jenkins: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1668446
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
java-sig-commits@lists.fedoraproject.org