Allele Security Alert
ASA-2019-00092
Identifier(s)
ASA-2019-00092, SECURITY-859, CVE-2019-1003009
Title
Improper certificate validation with StartTLS in Active Directory Plugin
Vendor(s)
CloudBees, Inc
Product(s)
Jenkins
Affected version(s)
Active Directory Plugin up to and including 2.10
Fixed version(s)
Active Directory Plugin version 2.11
Proof of concept
Unknown
Description
Active Directory Plugin performs TLS upgrade (StartTLS) after connecting to domain controllers through insecure LDAP. In this mode, certificates were not properly validated, effectively trusting all certificates, allowing man-in-the-middle attacks.
This only affected TLS upgrades. The LDAPS mode, available by setting the system property hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps to true, was unaffected.
Technical details
Unknown
Credits
Chris Jacobs (Comscore, Inc)
Reference(s)
Jenkins Security Advisory 2019-01-28
https://jenkins.io/security/advisory/2019-01-28/
Jenkins Plugins
https://plugins.jenkins.io/active-directory
CVE-2019-1003009
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003009
CVE-2019-1003009
https://nvd.nist.gov/vuln/detail/CVE-2019-1003009
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 24, 2019