Allele Security Alert
ASA-2019-00092, SECURITY-859, CVE-2019-1003009
Improper certificate validation with StartTLS in Active Directory Plugin
Active Directory Plugin up to and including 2.10
Active Directory Plugin version 2.11
Proof of concept
Active Directory Plugin performs TLS upgrade (StartTLS) after connecting to domain controllers through insecure LDAP. In this mode, certificates were not properly validated, effectively trusting all certificates, allowing man-in-the-middle attacks.
This only affected TLS upgrades. The LDAPS mode, available by setting the system property hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps to true, was unaffected.
Chris Jacobs (Comscore, Inc)
Jenkins Security Advisory 2019-01-28
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 24, 2019