Jenkins integration server suffers security vulnerabilities

Four vulnerabilities, including two affecting the Jenkins core and one deemed critical, have been identified

Jenkins, the open source continuous integration server that forked out of Oracle's Hudson project, is facing several security vulnerabilities Monday, with the Jenkins project leader recommending upgrades to the Jenkins core and some plug-ins to fix the problems.

A security advisory posted by project leader Kohsuke Kawaguchi cites four vulnerabilities, including two affecting the Jenkins core. The first vulnerability has been deemed critical. "The first vulnerability in Jenkins core allows unprivileged users to insert data into Jenkins master, which can lead to remote code execution. For this vulnerability to be exploited, the attacker must have an HTTP access to a Jenkins master, and he must have a read access to Jenkins," the security advisory said.

[ Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. ]

The second vulnerability in the core involves a cross-site scripting vulnerability, allowing an attacker to craft a URL that points to Jenkins, with an attacker able to hijack a legitimate user's session. Two other vulnerabilities, also involving cross-site scripting, affect the Violations and Continuous Integration Game plugins. The Violations plug-in scans for violation XML files in the build workspace; the Game plug-in offers tips on improving builds.

To fix the core vulnerabilities, main line users should upgrade to Jenkins 1.482, and LTS (Long-Term Support) users should upgrade to version 1.466.2. To fix the Violations plug-in, users are to upgrade to version 0.7.11 or later, while the CI game plug-in can be remedied by upgrading to 1.19 or later.

Kawaguchi said the fixes plug all known holes. "However, the nature of this game is such that someone will find a new vulnerability --- it's just a matter of when. So we encourage users, especially those who run Jenkins in a higher-risk environment (on the public Internet, in a security sensitive environment, etc.), to monitor security advisories by subscribing to the mailing list or an RSS feed."

He assuaged fears about the vulnerabilities, noting limitations. "Those who are running Jenkins inside a corporate firewall, which I think are the majority, [have] a mitigating factor, because one of the vulnerabilities requires an attacker to have an HTTP access to the Jenkins master and the other vulnerability requires the attacker to know the URL of your Jenkins. So it pretty much requires an attacker to be an insider." But he added, "Nonetheless, we recommend everyone to update to a version that contains the fix in a timely fashion."

Hudson forked out of Project Hudson in the wake of Oracle's 2010 acquisition of Sun Microsystems. Oracle has since handed Hudson over to the Eclipse Foundation.

This article, "Jenkins integration server suffers security vulnerabilities," was originally published at Follow the latest developments in business technology news and get a digest of the key stories each day in the InfoWorld Daily newsletter. For the latest developments in business technology news, follow on Twitter.

Read more about security in InfoWorld's Security Channel.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Paul Krill

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place