https://bugzilla.redhat.com/show_bug.cgi?id=1501812
Bug ID: 1501812 Summary: jenkins: Arbitrary shell command execution on master by users with Agent-related permissions (SECURITY-478) Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: amaris@redhat.com CC: bleanhar@redhat.com, ccoleman@redhat.com, dedgar@redhat.com, dmcphers@redhat.com, java-sig-commits@lists.fedoraproject.org, jgoulding@redhat.com, jkeck@redhat.com, kseifried@redhat.com, mizdebsk@redhat.com, msrb@redhat.com
Users with permission to create or configure agents in Jenkins could configure a launch method called Launch agent via execution of command on master. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched.
External References:
https://jenkins.io/security/advisory/2017-10-11/
https://bugzilla.redhat.com/show_bug.cgi?id=1501812
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1501826
https://bugzilla.redhat.com/show_bug.cgi?id=1501812
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1501967
--- Comment #1 from Kurt Seifried kseifried@redhat.com --- Created jenkins tracking bugs for this issue:
Affects: openshift-1 [bug 1501967]
https://bugzilla.redhat.com/show_bug.cgi?id=1501812
Mark Knowles mknowles@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |71011,reported=20171011,sou |71011,reported=20171011,sou |rce=internet,cvss3=8.8/CVSS |rce=internet,cvss3=8.8/CVSS |:3.0/AV:N/AC:L/PR:L/UI:N/S: |:3.0/AV:N/AC:L/PR:L/UI:N/S: |U/C:H/I:H/A:H,cwe=CWE-732,o |U/C:H/I:H/A:H,cwe=CWE-732,o |penshift-enterprise-3/jenki |penshift-enterprise-3/jenki |ns=new,openshift-1/jenkins= |ns=affected,openshift-1/jen |affected,fedora-all/jenkins |kins=affected,fedora-all/je |=affected |nkins=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1501812
Mark Knowles mknowles@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1515065, 1515066
--- Comment #2 from Mark Knowles mknowles@redhat.com --- Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1515065]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1515065 [Bug 1515065] jenkins: Arbitrary shell command execution on master by users with Agent-related permissions (SECURITY-478) [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1501812
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|jenkins: Arbitrary shell |CVE-2017-1000393 jenkins: |command execution on master |Arbitrary shell command |by users with Agent-related |execution on master by |permissions (SECURITY-478) |users with Agent-related | |permissions (SECURITY-478) Alias| |CVE-2017-1000393
https://bugzilla.redhat.com/show_bug.cgi?id=1501812
--- Comment #4 from Jason Shepherd jshepherd@redhat.com --- openshift3/jenkins-2-rhel7 now uses version 2.89.2
Marking Openshift Enteprise 3 as not affected.
https://bugzilla.redhat.com/show_bug.cgi?id=1501812
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ahardin@redhat.com, | |dbaker@redhat.com, | |jokerman@redhat.com, | |mchappel@redhat.com Whiteboard|impact=important,public=201 |impact=important,public=201 |71011,reported=20171011,sou |71011,reported=20171011,sou |rce=internet,cvss3=8.8/CVSS |rce=internet,cvss3=8.8/CVSS |:3.0/AV:N/AC:L/PR:L/UI:N/S: |:3.0/AV:N/AC:L/PR:L/UI:N/S: |U/C:H/I:H/A:H,cwe=CWE-732,o |U/C:H/I:H/A:H,cwe=CWE-732,o |penshift-enterprise-3/jenki |penshift-enterprise-3/jenki |ns=affected,openshift-1/jen |ns=notaffected,openshift-1/ |kins=affected,fedora-all/je |jenkins=affected,fedora-all |nkins=affected |/jenkins=affected
java-sig-commits@lists.fedoraproject.org