Jenkins warns of security holes in these 25 plugins
Relax, most of the vulnerabilities so far have, er, no fix
Jenkins, an open-source automation server for continuous integration and delivery (CI/CD), has published 34 security advisories covering 25 plugins used to extend the software.
Eleven of the advisories are rated high severity, 14 are medium, and 9 are said to be low.
The vulnerabilities described include: cross-site scripting (XSS); passwords, API keys, secrets, and tokens stored in plaintext; cross-site request forgery (CSRF); and missing and incorrect permission checks.
The following plugins are affected:
Build Notifications Plugin, build-metrics Plugin, Cisco Spark Plugin, Deployment Dashboard Plugin, Elasticsearch Query Plugin, eXtreme Feedback Panel Plugin, Failed Job Deactivator Plugin, GitLab Plugin, HPE Network Virtualization Plugin, Jigomerge Plugin, Matrix Reloaded Plugin, OpsGenie Plugin, Plot Plugin, Project Inheritance Plugin, Recipe Plugin, Request Rename Or Delete Plugin, requests-plugin Plugin, Rich Text Publisher Plugin, RocketChat Notifier Plugin, RQM Plugin, Skype notifier Plugin, TestNG Results Plugin, Validating Email Parameter Plugin, XebiaLabs XL Release Plugin, and XPath Configuration Viewer Plugin.
Sean Gallagher, senior threat researcher at Sophos, told The Register that individually, the vulnerabilities should not be a huge concern.
As a whole, that’s a whole lot of attack surface
"But taken as a whole, that’s a whole lot of attack surface," said Gallagher, adding that many organizations are not particularly diligent about securing their cloud Jenkins instances.
Jenkins, he said, is fairly common and can be taken as another example of an under-supported open-source platform.
"What is most concerning is how many of these are no-fix," said Gallagher.
Indeed, for 21 out of the 25 cited plugins, no fixes are available.
The June 30 advisory follows a similar advisory from June 22, covering 28 plugins and Jenkins core software. For 14 of these plugins, no fix is available.
“These kinds of flaws are not uncommon – in past research at NCC Group, we’ve found vulnerabilities in over 100 Jenkins plugins," said Jennifer Fernick, SVP and global head of research at NCC Group, a security consultancy, in an email to The Register.
"Concerningly, several of even the high-severity vulnerabilities in today’s advisory lack patches, leaving development teams using these plugins entirely vulnerable to attack.
"This is particularly concerning given the highly privileged nature of automation tools such as Jenkins, and the ways in which insecure CI/CD pipelines can enable supply chain attacks during the software development process.”
CIOs largely believe their software supply chain is vulnerableREAD MORE
In a write-up earlier this year, NCC described ten attacks that compromised Jenkins and other CI/CD systems during security assessments for clients.
These attacks were made possible, NCC said, mostly by the same root causes, including default configurations, overly permissive permissions and roles, lack of security controls, and lack of system segmentation.
The security firm describes one attack involving a GitHub OAuth plugin that was deployed in Jenkins for authentication and authorization. Because the plugin granted
READ permissions to all authenticated users and the "Use GitHub repository permissions" option was checked to allow anyone with a GitHub account access the Jenkins web login interface, an NCC researcher was able to register and use a personal hosted email account to gain access to the client's projects.
"CI/CD pipelines are complex environments," NCC's post explained. "This complexity requires methodical & comprehensive reviews to secure the entire stack. Often a company may lack the time, specialist security knowledge, and people needed to secure their CI/CD pipeline(s).
"Fundamentally, a CI/CD pipeline is remote code execution, and must be configured properly." ®