CloudBees CI 2024-11-13 SSO vulnerability mitigation

Issue

This issue impacts two CloudBees CI security realms for user authentication to controllers:

The “Single sign-on via operations center” with which controllers can delegate authentication to operations center
The “Single sign-on via CloudBees Software Delivery Automation” with which controllers and operations center can delegate authentication to CloudBees Software Delivery Automation.

In both implementations, a vulnerability would allow logging in using the affected SSO implementation with invalid credentials.

After logging in, the user identity is set, but no group memberships from the authentication provider are recognized, not even “authenticated”.

The impacts on the security of your instance vary, depending on the authorization strategy used, for additional details please review CloudBees Security Advisory 2024-11-13.

Environment

CloudBees CI on modern cloud platforms - operations center
CloudBees CI on modern cloud platforms - managed controller
CloudBees CI on traditional platforms - operations center
CloudBees CI on traditional platforms - client controller
For “Single sign-on via operations center” the problem was introduced in CloudBees CI 2.401.1.3 and resolved in CloudBees CI 2.426.2.2.
For “Single sign-on via CloudBees Software Delivery Automation” the problem was introduced in CloudBees CI 2.277.1.1 and resolved in CloudBees CI 2.479.1.4

Resolution

If you are using “Single sign-on via operations center” and you are in a version higher or equal to 2.401.1.3 then upgrade to 2.426.2.2.
If you are using “Single sign-on via CloudBees Software Delivery Automation” then upgrade CloudBees CI to version 2.479.1.4.

Mitigation

The mitigation will protect you from the issue, and does not require a CloudBees CI version upgrade. Applying the mitigation involves the following steps:

Installing a new plugin: CloudBees SSO Authentication Bypass Workaround Plugin (cloudbees-bee-43186-bee-53106-workaround).
It is recommended to restart the affected operations center and the controllers, but alternatively, if you are not using HA(Active-Active) you can avoid the restart by running a session invalidation script included below.

This mitigation is available for CloudBees CI versions 2.361.1.2 through 2.479.1.3 (inclusive).

Installation Scenarios

Installing the mitigation on the operations center or a standalone controller

Download the cloudbees-bee-43186-bee-53106-workaround plugin locally.
Go to Manage Jenkins Manage Plugins.
Select the Advanced settings menu item.
Under Deploy Plugin, select Choose File and then select the saved plugin file cloudbees-bee-43186-bee-53106-workaround.hpi.
Click Deploy.
Restart the operations center or controller (If using active/active HA managed controller, use the Reprovision button for that controller from the operations center). The plugin does not require any configuration.

For controllers that have connectivity to the CloudBees Update Site (Required URLs to allowlist), you can also install the plugin from Manage Jenkins Manage Plugins Available plugins after using the refresh button at the top right of the page (previously the Check now button), and searching for cloudbees-bee-43186-bee-53106-workaround:

This UI install method is not available for operations center, or controllers that are unable to connect to the CloudBees Update Site.

Installing on controllers in an operations center cluster with internet access

In any clustered environment with an operations center and controllers connected to it, you will need to apply the mitigation on the operations center (see Installing on anoperations center), as well as to the connected controllers.

To install the cloudbees-bee-43186-bee-53106-workaround plugin on multiple controllers managed an operations center, you can use a Cluster Operation.

NOTE: controllers must be running and connected for the Cluster Operation to be successful and correctly apply the mitigation, and also have internet access to download the mitigation plugin. We recommend starting controllers so that the below mitigation can run on them.

To create and configure a Cluster Operation:

On your operations center, select New Item and then select Cluster Operations.
Enter a name for the Cluster Operation (such as "Apply cloudbees-bee-43186-bee-53106-workaround to all online controllers").
Under Operations choose Add Operation and then controller
Under Source choose From Operations Center Root
In the Target controllers section, under Filters, select Add Filter and then select client controller/ managed controller Is Online.
Add the following steps:
1. An Execute Groovy Script on Controller where you should paste the script below:
  Jenkins.get().pluginManager.doCheckUpdatesServer() println("updated")
  ▼
2. An Install plugin step with the plugin ID set to cloudbees-bee-43186-bee-53106-workaround and no version (leave the Version field blank). Using no version instructs the system to use the most recent plugin available for the given controller.
3. Add the Restart Now step.
Select Save, and then Run the Cluster Operation.
If using active/active HA managed controller, use the Reprovision button for those controllers from the operations center
Install the plugin on your operations center following the steps from Installing the mitigation on the operations center or a stand-alone controller

Installing on controllers in an operations center cluster with no internet access

If your operations center and controllers do not have internet access, you can install the mitigation plugin using steps from the section Installing the mitigation on the operations center or a stand-alone controller, or by:

Download the cloudbees-bee-43186-bee-53106-workaround plugin locally.
Copy it into the JENKINS_HOME/plugins/ directory for each operations center and controller
Restart the operations center or controller (If using active/active HA managed controller, use the Reprovision button for that controller from the operations center). The plugin does not require any configuration.

Installing the mitigation using CasC

Installing the mitigation in operations center

The CloudBees SSO Authentication Bypass Workaround Plugin plugin is not included in the CloudBees Assurance Program (CAP), therefore, the corresponding plugin should be included in the plugin-catalog.yaml configuration file (depending on whether you are in an operations center or not). However, by default, the plugin-catalog.yaml can’t be used in the operations center unless the Java argument -Dcom.cloudbees.jenkins.cjp.installmanager.CJPPluginManager.enablePluginCatalogInOC=true is added to the operations center startup arguments, this startup argument is not required for controllers.

Installing the mitigation in controllers

For controllers, plugin catalog is available by default and it is not necessary to add any Java argument as it happens with the operations center.

Snippets for CasC

plugin-catalog.yaml

type: plugin-catalog
version: '1'
name: cloudbees-bee-43186-bee-53106-workaround
displayName: CloudBees SSO Authentication Bypass Workaround Plugin
configurations:
- description: Exported plugins
  includePlugins:
    cloudbees-bee-43186-bee-53106-workaround:
      version: ‘1.2’

plugins.yaml

plugins:
  - {id: "cloudbees-bee-43186-bee-53106-workaround"}

Script to invalidate active sessions

Below you can find a script that will invalidate active sessions. Please, be aware that the script will not work for HA (active/active) or CloudBees CI instances deployed on external servlet containers such as Apache Tomcat.

Finally, please take into consideration the fact that after running the script everyone will be logged out of the instance.

def servletContext = Jenkins.get().servletContext;
def isJetty = servletContext.class.name == 'org.eclipse.jetty.webapp.WebAppContext$Context' || servletContext.class.name == 'org.eclipse.jetty.ee9.webapp.WebAppContext$Context'
if (isJetty) {
  def contextHandler = servletContext.getContextHandler();
  def cache = contextHandler.getSessionHandler().getSessionCache()
  def dataStore = cache.getSessionDataStore()
  def isDefaultCache = cache.class.name == 'org.eclipse.jetty.session.DefaultSessionCache' || cache.class.name == 'org.eclipse.jetty.server.session.DefaultSessionCache'
  def isNullDataStore = dataStore.class.name == 'org.eclipse.jetty.session.NullSessionDataStore' || dataStore.class.name == 'org.eclipse.jetty.server.session.NullSessionDataStore'
  if (isDefaultCache && isNullDataStore) {
        println("Invalidating all sessions");
        cache.setInvalidateOnShutdown(true);
        cache.shutdown();
  } else {
    throw new Exception("Unsupported session cache and/or data store types: ${cache.class.name} and ${dataStore.class.name}");
  }

} else {
  // e.g. Tomcat
  throw new Exception("Unsupported servlet context ${servletContext.class.name}");
}
return null▼

You can run this script from an operations center or controller script console, or you can follow the steps below to run it using a cluster operation:

On your operations center, select New Item and then select Cluster Operations.
Enter a name for the Cluster Operation (such as "Invalidate active sessions to all online controllers").
Under Operations choose Add Operation and then controller
Under Source choose From Operations Center Root
In the Target controllers section, under Filters, select Add Filter and then select client controller/ managed controller Is Online.
Add the following steps:
1. An Execute Groovy Script on Controller where you should paste the script above.

Article last updated on 14th November 2024 15:47 UTC