ASA-2019-00092 – Jenkins: Improper certificate validation with StartTLS in Active Directory Plugin

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00092

Identifier(s)

ASA-2019-00092, SECURITY-859, CVE-2019-1003009

Title

Improper certificate validation with StartTLS in Active Directory Plugin

Vendor(s)

CloudBees, Inc

Product(s)

Jenkins

Affected version(s)

Active Directory Plugin up to and including 2.10

Fixed version(s)

Active Directory Plugin version 2.11

Proof of concept

Unknown

Description

Active Directory Plugin performs TLS upgrade (StartTLS) after connecting to domain controllers through insecure LDAP. In this mode, certificates were not properly validated, effectively trusting all certificates, allowing man-in-the-middle attacks.

This only affected TLS upgrades. The LDAPS mode, available by setting the system property hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps to true, was unaffected.

Technical details

Unknown

Credits

Chris Jacobs (Comscore, Inc)

Reference(s)

Jenkins Security Advisory 2019-01-28
https://jenkins.io/security/advisory/2019-01-28/

Jenkins Plugins
https://plugins.jenkins.io/active-directory

CVE-2019-1003009
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003009

CVE-2019-1003009
https://nvd.nist.gov/vuln/detail/CVE-2019-1003009

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 24, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.