ASA-2019-00005 – Jenkins: Sandbox Bypass in Script Security and Pipeline Plugins


Allele Security Alert

ASA-2019-00005

Identifier(s)

ASA-2019-00005, SECURITY-1266, CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002

Title

Sandbox Bypass in Script Security and Pipeline Plugins

Vendor(s)

Jenkins project

Product(s)

Jenkins Pipeline: Declarative Plugin
Jenkins Pipeline: Groovy Plugin
Jenkins Script Security Plugin

Affected version(s)

Pipeline: Declarative Plugin up to and including 1.3.4
Pipeline: Groovy Plugin up to and including 2.61
Script Security Plugin up to and including 1.49

Fixed version(s)

Pipeline: Declarative Plugin version 1.3.4.1
Pipeline: Groovy Plugin version 2.61.1
Script Security Plugin version 1.50

Proof of concept

Yes

Description

Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements.

Both the pipeline validation REST APIs and actual script/pipeline execution are affected.

This allowed users with Overall/Read permission, or able to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins master.

Technical details

Unknown

Credits

Orange Tsai (DEVCORE)

Reference(s)

Jenkins Security Advisory 2019-01-08
https://jenkins.io/security/advisory/2019-01-08/

CloudBees Security Advisory 2019-01-08
https://www.cloudbees.com/cloudbees-security-advisory-2019-01-08

Sandbox bypass in multiple Jenkins plugins
https://seclists.org/oss-sec/2019/q1/31

Jenkins RCE PoC. From unauthenticated user to remote code execution – it’s a hacker’s dream! (Chaining CVE-2019-1003000, CVE-2018-1999002, and more)
https://github.com/petercunha/Jenkins-PreAuth-RCE-PoC

[SECURITY-1266] Don’t execute AST transforms in validate/translate
https://github.com/jenkinsci/pipeline-model-definition-plugin/commit/083abd96e68fd89f556a0cd53db5f878dbf09b92

[SECURITY-1266] Block problematic AST transforms from sandbox
https://github.com/jenkinsci/script-security-plugin/commit/2c5122e50742dd16492f9424992deb21cc07837c

CVE-2019-1003000
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003000

CVE-2019-1003000
https://nvd.nist.gov/vuln/detail/CVE-2019-1003000

CVE-2019-1003001
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003001

CVE-2019-1003001
https://nvd.nist.gov/vuln/detail/CVE-2019-1003001

CVE-2019-1003002
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003002

CVE-2019-1003002
https://nvd.nist.gov/vuln/detail/CVE-2019-1003002

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: June 20, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.