ASA-2018-00013 – Jenkins: Sandbox Bypass in Script Security and Pipeline Groovy Plugins


Allele Security Alert

ASA-2018-00013

Identifier(s)

ASA-2018-00013, SECURITY-1186, CVE-2018-1000865, CVE-2018-1000866

Title

Sandbox Bypass in Script Security and Pipeline Groovy Plugins

Vendor(s)

Jenkins project

Product(s)

Jenkins Pipeline: Groovy Plugin
Jenkins Script Security Plugin

Affected version(s)

Pipeline: Groovy Plugin up to and including 2.59
Script Security Plugin up to and including 1.47

Fixed version(s)

Pipeline: Groovy Plugin version 2.60
Script Security Plugin version 1.48

Proof of concept

Unknown

Description

The Groovy Sandbox library used by Script Security Plugin and Pipeline Groovy Plugin did not apply sandbox restrictions to finalize methods. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection.

Finalize methods are now prohibited in classes subject to sandbox security.

This may result in existing sandboxed scripts, such as pipelines, starting to fail if they use this language feature.

Credits

Man Yue Mo (Semmle Security Research Team)

Reference(s)

Jenkins Security Advisory 2018-10-29
https://jenkins.io/security/advisory/2018-10-29/

CloudBees Security Advisory 2018-10-29
https://www.cloudbees.com/cloudbees-security-advisory-2018-10-29

Script sandbox bypass in multiple Jenkins plugins
https://seclists.org/oss-sec/2018/q4/106

Jenkins plugins security advisory
https://groups.google.com/forum/#!topic/jenkinsci-advisories/0nJ6_xrVGSc

Jenkins Plugins – Script Security
https://plugins.jenkins.io/script-security

Jenkins Plugins – Pipeline: Groovy
https://plugins.jenkins.io/workflow-cps

[SECURITY-1186] Forbid sandboxed classes from overriding finalize.
https://github.com/jenkinsci/groovy-sandbox/commit/0cd7ec12b7c56cfa3167d99c5f43147ce05449d3

CVE-2018-1000865
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000865

CVE-2018-1000865
https://nvd.nist.gov/vuln/detail/CVE-2018-1000865

CVE-2018-1000866
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000866

CVE-2018-1000866
https://nvd.nist.gov/vuln/detail/CVE-2018-1000866

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: March 6, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.