https://bugzilla.redhat.com/show_bug.cgi?id=1694532
Bug ID: 1694532 Summary: CVE-2019-1003040 jenkins-plugin-script-security: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353) Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=important,public=20190325,reported=20190326,sou rce=internet,cvss3=8.8/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S: U/C:H/I:H/A:H,cwe=CWE-704,fedora-all/jenkins-script-se curity-plugin=affected,openshift-enterprise-3.4/jenkin s-plugin-script-security=new,openshift-enterprise-3.5/ jenkins-plugin-script-security=new,openshift-enterpris e-3.6/jenkins-plugin-script-security=new,openshift-ent erprise-3.7/jenkins-plugin-script-security=new,openshi ft-enterprise-3.9/jenkins-plugin-script-security=new,o penshift-enterprise-3.10/jenkins-plugin-script-securit y=new,openshift-enterprise-3.11/jenkins-2-plugins=new, openshift-enterprise-4.1/jenkins-2-plugins=new Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: sfowler@redhat.com CC: ahardin@redhat.com, aos-bugs@redhat.com, bleanhar@redhat.com, ccoleman@redhat.com, dedgar@redhat.com, eparis@redhat.com, java-sig-commits@lists.fedoraproject.org, jgoulding@redhat.com, jokerman@redhat.com, mchappel@redhat.com, mizdebsk@redhat.com, mmccomas@redhat.com, msrb@redhat.com, obulatov@redhat.com, wzheng@redhat.com Target Milestone: --- Classification: Other
Sandbox projection in the Jenkins Script Security and Pipeline: Groovy Plugins could be circumvented through methods supporting type casts and type coercion. This allowed attackers to invoke constructors for arbitrary types.
External Reference:
https://jenkins.io/security/advisory/2019-03-25/#SECURITY-1353
https://bugzilla.redhat.com/show_bug.cgi?id=1694532
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1694533
--- Comment #1 from Sam Fowler sfowler@redhat.com --- Created jenkins-script-security-plugin tracking bugs for this issue:
Affects: fedora-all [bug 1694533]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1694533 [Bug 1694533] CVE-2019-1003040 jenkins-script-security-plugin: jenkins-plugin-script-security: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353) [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1694532
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1694534 Whiteboard|impact=important,public=201 |impact=important,public=201 |90325,reported=20190326,sou |90325,reported=20190326,sou |rce=internet,cvss3=8.8/CVSS |rce=internet,cvss3=8.8/CVSS |:3.0/AV:N/AC:L/PR:L/UI:N/S: |:3.0/AV:N/AC:L/PR:L/UI:N/S: |U/C:H/I:H/A:H,cwe=CWE-704,f |U/C:H/I:H/A:H,cwe=CWE-704,f |edora-all/jenkins-script-se |edora-all/jenkins-script-se |curity-plugin=affected,open |curity-plugin=affected,open |shift-enterprise-3.4/jenkin |shift-enterprise-3.4/jenkin |s-plugin-script-security=ne |s-plugin-script-security=wo |w,openshift-enterprise-3.5/ |ntfix,openshift-enterprise- |jenkins-plugin-script-secur |3.5/jenkins-plugin-script-s |ity=new,openshift-enterpris |ecurity=wontfix,openshift-e |e-3.6/jenkins-plugin-script |nterprise-3.6/jenkins-plugi |-security=new,openshift-ent |n-script-security=wontfix,o |erprise-3.7/jenkins-plugin- |penshift-enterprise-3.7/jen |script-security=new,openshi |kins-plugin-script-security |ft-enterprise-3.9/jenkins-p |=wontfix,openshift-enterpri |lugin-script-security=new,o |se-3.9/jenkins-plugin-scrip |penshift-enterprise-3.10/je |t-security=wontfix,openshif |nkins-plugin-script-securit |t-enterprise-3.10/jenkins-p |y=new,openshift-enterprise- |lugin-script-security=wontf |3.11/jenkins-2-plugins=new, |ix,openshift-enterprise-3.1 |openshift-enterprise-4.1/je |1/jenkins-2-plugins=affecte |nkins-2-plugins=new |d,openshift-enterprise-4.1/ | |jenkins-2-plugins=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1694532
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1694540
https://bugzilla.redhat.com/show_bug.cgi?id=1694532
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1694541
https://bugzilla.redhat.com/show_bug.cgi?id=1694532
--- Comment #4 from Sam Fowler sfowler@redhat.com --- "Any security advisory related updates to Jenkins core or the plugins we include in the OpenShift Jenkins master image will only occur in the v3.11 and v4.x branches of this repository."
https://github.com/openshift/jenkins/blob/master/README.md#jenkins-security-...
https://bugzilla.redhat.com/show_bug.cgi?id=1694532
--- Comment #5 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 3.11
Via RHSA-2019:1423 https://access.redhat.com/errata/RHSA-2019:1423
https://bugzilla.redhat.com/show_bug.cgi?id=1694532
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2019:1423
https://bugzilla.redhat.com/show_bug.cgi?id=1694532
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2019-06-10 22:58:58
https://bugzilla.redhat.com/show_bug.cgi?id=1694532
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |90325,reported=20190326,sou |90325,reported=20190326,sou |rce=internet,cvss3=8.8/CVSS |rce=internet,cvss3=8.8/CVSS |:3.0/AV:N/AC:L/PR:L/UI:N/S: |:3.0/AV:N/AC:L/PR:L/UI:N/S: |U/C:H/I:H/A:H,cwe=CWE-704,f |U/C:H/I:H/A:H,cwe=CWE-704,f |edora-all/jenkins-script-se |edora-all/jenkins-script-se |curity-plugin=affected,open |curity-plugin=affected,open |shift-enterprise-3.4/jenkin |shift-enterprise-3.4/jenkin |s-plugin-script-security=wo |s-plugin-script-security=ne |ntfix,openshift-enterprise- |w,openshift-enterprise-3.5/ |3.5/jenkins-plugin-script-s |jenkins-plugin-script-secur |ecurity=wontfix,openshift-e |ity=new,openshift-enterpris |nterprise-3.6/jenkins-plugi |e-3.6/jenkins-plugin-script |n-script-security=wontfix,o |-security=wontfix,openshift |penshift-enterprise-3.7/jen |-enterprise-3.7/jenkins-plu |kins-plugin-script-security |gin-script-security=wontfix |=wontfix,openshift-enterpri |,openshift-enterprise-3.9/j |se-3.9/jenkins-plugin-scrip |enkins-plugin-script-securi |t-security=wontfix,openshif |ty=wontfix,openshift-enterp |t-enterprise-3.10/jenkins-p |rise-3.10/jenkins-plugin-sc |lugin-script-security=wontf |ript-security=wontfix,opens |ix,openshift-enterprise-3.1 |hift-enterprise-3.11/jenkin |1/jenkins-2-plugins=affecte |s-2-plugins=affected,opensh |d,openshift-enterprise-4.1/ |ift-enterprise-4.1/jenkins- |jenkins-2-plugins=affected |2-plugins=notaffected
https://bugzilla.redhat.com/show_bug.cgi?id=1694532 Bug 1694532 depends on bug 1694533, which changed state.
Bug 1694533 Summary: CVE-2019-1003040 jenkins-script-security-plugin: jenkins-plugin-script-security: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353) [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1694533
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
https://bugzilla.redhat.com/show_bug.cgi?id=1694532
--- Doc Text *updated* by Eric Christensen sparks@redhat.com --- A flaw was found in the Jenkins Script Security plugin. Groovy Plugins could be circumvented through methods supporting type casts and type coercion allowing attackers to invoke constructors for arbitrary types. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
java-sig-commits@lists.fedoraproject.org