Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 937546 (CVE-2024-43044, CVE-2024-43045) - <dev-util/jenkins-bin-{2.452.4:lts,2.471}: Multiple Vulnerabilities
Summary: <dev-util/jenkins-bin-{2.452.4:lts,2.471}: Multiple Vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2024-43044, CVE-2024-43045
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://www.jenkins.io/security/advis...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2024-08-08 06:10 UTC by Hans de Graaff
Modified: 2024-08-14 07:49 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2024-08-08 06:10:22 UTC
Arbitrary file read vulnerability through agent connections can lead to RCE
SECURITY-3430 / CVE-2024-43044
Severity (CVSS): Critical
Description:

Jenkins uses the Remoting library (typically agent.jar or remoting.jar) for the communication between controller and agents. This library allows agents to load classes and classloader resources from the controller, so that Java objects sent from the controller (build steps, etc.) can be executed on agents.

In addition to individual class and resource files, Remoting also allows Jenkins plugins to transmit entire jar files to agents using the Channel#preloadJar API. As of publication of this advisory, this feature is used by the following plugins distributed by the Jenkins project: bouncycastle API, Groovy, Ivy, TeamConcert

In Remoting 3256.v88a_f6e922152 and earlier, except 3206.3208.v409508a_675ff and 3248.3250.v3277a_8e88c9b_, included in Jenkins 2.470 and earlier, LTS 2.452.3 and earlier, calls to Channel#preloadJar result in the retrieval of files from the controller by the agent using ClassLoaderProxy#fetchJar. Additionally, the implementation of ClassLoaderProxy#fetchJar invoked on the controller does not restrict paths that agents could request to read from the controller file system.

This allows agent processes, code running on agents, and attackers with Agent/Connect permission to read arbitrary files from the Jenkins controller file system.
	This is a critical vulnerability as the information obtained can be used to increase access up to and including remote code execution (RCE). See SECURITY-3314 for known impacts of exploiting arbitrary file read vulnerabilities in Jenkins. Be aware that the limitation of unreadable binary data with some character encodings discussed in SECURITY-3314 does not apply to SECURITY-3430.

The Remoting library in Jenkins 2.471, LTS 2.452.4, LTS 2.462.1 now sends jar file contents with Channel#preloadJar requests, the only use case of ClassLoaderProxy#fetchJar in agents, so that agents do not need to request jar file contents from controllers anymore.


Missing permission check allows accessing other users' "My Views"
SECURITY-3349 / CVE-2024-43045
Severity (CVSS): Medium
Description:

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to access other users' "My Views". Attackers with global View/Configure and View/Delete permissions are also able to change other users' "My Views".

Jenkins 2.471, LTS 2.452.4, LTS 2.462.1 restricts access to a user’s "My Views" to the owning user and administrators.
Comment 1 Larry the Git Cow gentoo-dev 2024-08-14 07:49:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a16b29185829c109b2129c3184873ab814369384

commit a16b29185829c109b2129c3184873ab814369384
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2024-08-14 07:45:30 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-08-14 07:48:59 +0000

    dev-util/jenkins-bin: drop 2.452.3, 2.454
    
    Bug: https://bugs.gentoo.org/937546
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-util/jenkins-bin/Manifest                   |  2 --
 dev-util/jenkins-bin/jenkins-bin-2.452.3.ebuild | 44 -------------------------
 dev-util/jenkins-bin/jenkins-bin-2.454.ebuild   | 44 -------------------------
 3 files changed, 90 deletions(-)