How to block access to URLs vulnerable to SECURITY-2469/CVE-2021-21678

Article ID:4406050694299
6 minute readKnowledge base

Issue

  • On August 31st, 2021, CloudBees announced a security advisory that included the Jenkins security issue SECURITY-2469/CVE-2021-21678. As a mitigation to the security issue, I want to block access to a known vulnerable URL pattern on my controllers and operations center.

Environment

Resolution

The fastest way to mitigate this security vulnerability is to use the CloudBees Request Filter Plugin to block the problematic URL pattern. In case that you are using Configuration as Code, it can be used to both, automate the installation of the CloudBees Request Filter Plugin, and to create the URL pattern.

This mitigation is required on the operations center and on every controller connected to the operations center where the SAML plugin is installed and enabled.

For standalone controllers not connected to the operations center, the mitigation is required if the SAML plugin is installed and enabled.

Blocking access to vulnerable URLs with the CloudBees Request Filter plugin

To mitigate the Jenkins security issue SECURITY-2469, you can use the CloudBees Request Filter plugin to block access to a URL pattern that is known to be vulnerable. This process does not require an upgrade or a restart.

CloudBees recommends that all customers perform the steps in this article as soon as possible, to ensure you are protected from the vulnerability. Then, once you have completed these steps, you can plan for and test an upgrade to the versions containing the fix by contacting CloudBees for an Assisted Update. Once you have upgraded to a version containing the mitigation, you can remove the Request Filtering pattern that was created for the mitigation in this article.

Installing and configuring the mitigation on the operations center

Complete the following procedures if the SAML plugin is installed and enabled on the operations center.

Install the CloudBees Request Filter plugin

If you don’t have the CloudBees Request Filter plugin, you must first download and install it.

  1. Download the CloudBees Request Filter plugin for your version of the operations center and save it locally.

    Operations center version Plugin version

    2.235.2.3 or newer

    1.7

    2.107.1.2 to 2.235.2.3 (not included)

    1.5

    2.73.1.2 to 2.107.1.2 (not included)

    1.3

    before 2.73.1.2

    1.2

  2. Go to Manage Jenkins -> Manage Plugins.

  3. Select the Advanced tab.

  4. Under Upload Plugin, select Choose File and then select the saved plugin file (cloudbees-request-filter.hpi).

  5. Select Upload.

Configure the Request Filter plugin

Once you have downloaded and installed the Request Filter plugin, you can configure it to block URLs.

  1. Go to Manage Jenkins -> Configure System.

  2. In the Request Filtering section, select Add rule.

  3. In the URI pattern field, enter the following regex pattern: .+[/\\]securityRealm[/\\]finishLogin.*

  4. Select Custom response, and then complete the following fields:

    1. Under Response Code, enter 403.

    2. Under Content Type, leave text/html.

    3. Under Content, enter the following:

      <h1>Forbidden call</h1>
For more information, please visit the <a href="https://cloudbees.com/r/support/cloudbees-security-advisory-2021-08-31">following page</a>
or <a href="https://support.cloudbees.com">contact CloudBees support</a> mentioning SECURITY-2469.

  5. Select Save.

Installing and configuring the mitigation on a standalone controller

Complete the following procedures for any standalone controllers that have the SAML plugin installed and enabled.

Install the CloudBees Request Filter plugin

If you don’t have the CloudBees Request Filter plugin, you must first download and install it.

  1. Go to Manage Jenkins -> Manage Plugins.

  2. Select the Available tab.

  3. Search for CloudBees Request Filter Plugin.

  4. Select Install without restart.

Configure the Request Filter plugin

Once you have downloaded and installed the Request Filter plugin, you can configure it to block URLs.

  1. Go to Manage Jenkins -> Configure System.

  2. In the Request Filtering section, select *Add rule.

  3. In URI pattern field, enter the following regex pattern: .+[/\\]securityRealm[/\\]finishLogin.*

  4. Select Custom response, and then complete the following fields:

    1. Under Response Code, enter 403.

    2. Under Content Type, leave text/html.

    3. Under Content, enter the following:

      <h1>Forbidden call</h1>
For more information, please visit the <a href="https://cloudbees.com/r/support/cloudbees-security-advisory-2021-08-31">following page</a>
or <a href="https://support.cloudbees.com">contact CloudBees support</a> mentioning SECURITY-2469.

  5. Select Save.

Installing and configuring on controllers in an operations center cluster

In any clustered environment with an Operations Center and Controllers connected to it, you will need to apply the mitigation to the CloudBees Operations Center (see Installing and Configuring on an Operations Center), as well as to the Controllers where the SAML plugin is installed and enabled.

To install and configure the CloudBees Request Filter plugin on multiple controllers managed by a CloudBees operations center, you can use a Cluster Operation.

Note: Controllers must be Running and Connected for the Cluster Operation to be successful and correctly apply the mitigation.

To create and configure a Cluster Operation:

  1. On your operations center, select New Item and then select Cluster Operations.

  2. Enter a name for the Cluster Operation (such as Apply SECURITY-2469 to all online controllers).

  3. (Optional) You can configure the Cluster Operation with Build Triggers -> Build periodically to run it periodically. It is safe to run the Cluster Operation multiple times on the same controllers (it is idempotent).

  4. In the Target Managed controllers section, add the controllers on which you want to block URLs (such as From Operations Center Root).

  5. Under Filters, select Add Filter and then select Client Controller / Managed Controller Is Online.

  6. Add the following steps:

    1. An Install plugin step with the plugin ID set to cloudbees-request-filter and no version (leave the Version field blank). Using no version instructs the system to use the most recent plugin available for the given controller.

    2. An Execute Groovy Script on Controller step using the following script:

       import com.cloudbees.jenkins.plugins.requestfilter.*

 String mitigationPattern = '.+[/\\\\]securityRealm[/\\\\]finishLogin.*'
 int responseCode = 403
 String responseContent =
 '''
 <h1>Forbidden call</h1>
 For more information, please visit the <a href="https://cloudbees.com/r/support/cloudbees-security-advisory-2021-08-31">following page</a>
 or <a href="https://support.cloudbees.com">contact CloudBees support</a> mentioning SECURITY-2469.
 '''
 String responseContentType = 'text/html'

 // Let's preserve existing configuration, if any.
 // Also, this code is idempotent so we can run it multiple times without worrying we'd add X times the same config
 List<Rule> existingRules = new ArrayList(Rules.get().getRules()) // reinstantiation needed because emptyList() is immutable

 if( existingRules.collect { rule -> rule.pattern }
                  .findAll { rulePattern -> mitigationPattern.equals(rulePattern) }
                  .isEmpty() )
 {
   println "mitigation pattern not found, adding it"
   Rule mitigationRule = new Rule(mitigationPattern)
   mitigationRule.setResponse(new Response(responseCode,responseContentType,responseContent))
   existingRules.add(mitigationRule)
   Rules.get().setRules(existingRules)
 } else {
   println 'mitigation pattern found, no-op'
 }

  7. Select Save, and then Run.

Mitigating using Configuration as Code (CasC)

Configuration as Code could be used to mitigate this security vulnerability. The following sections explains how to use the CloudBees Request Filter Plugin to block the problematic URL pattern through CasC.

Installing and configuring the mitigation on the operations center

CloudBees customers running CloudBees CI 2.289.3.2 and later, could benefit from CasC in the operations center to mitigate this security vulnerability.

The CloudBees Request Filter Plugin is not included in the CloudBees Assurance Program (CAP), therefore, it should be included in the plugin-catalog.yaml configuration file. However, by default, the plugin-catalog.yaml can’t be used in the operations center unless the Java argument -Dcom.cloudbees.jenkins.cjp.installmanager.CJPPluginManager.enablePluginCatalogInOC=true is added to the operations center startup arguments, this startup argument is not required for controllers.

Installing and configuring the mitigation on controllers

For controllers, plugin catalog is available by default and it is not necessary to add any Java argument as it happens with the operations center.

Code snippets for bundle configuration

The code snippets below are examples which shows how to apply the mitigation in a CasC bundle for both, operations center and controllers.

  • jenkins.yaml

unclassified:
  rules:
    rules:
    - pattern: ".+[/\\\\]securityRealm[/\\\\]finishLogin.*"
      response:
        code: 403
        content: |-
          <h1>Forbidden call</h1>
          For more information, please visit the <a href="https://cloudbees.com/r/block-url-pattern">following page</a>
          or <a href="https://support.cloudbees.com">contact CloudBees support</a> mentioning SECURITY-2469.
        contentType: "text/html"

IMPORTANT NOTES

  1. By applying the above filter in CasC the previous filters you had configured in the CloudBees Request Filter Plugin through the GUI will be removed. To preserve them, they must be reconfigured them with Configuration as Code.

  2. You must update the version in the bundle.yaml for hot reload to find the new version.

  3. Depending on your filter, you might need to escape the corresponded characters - the code is interpreted as a String in Java. For example, the character \ can be escaped by adding \\. As an exmple, .+[/\\\\]securityRealm[/\\\\]finishLogin. results in .+[/\\]securityRealm[/\\]finishLogin. under Manage Jenkins -> Configure System -> Request Filtering.

  • plugin-catalog.yaml

The current example uses the version 1.7 of the CloudBees Request Filter Plugin. Adapt the version used of the CloudBees Request Filter Plugin depending on the release you are running by checking the provided table in the section Installing and configuring the mitigation on the operations center.

type: plugin-catalog
version: '1'
name: security-2469-catalog
displayName: Simple SECURITY-2469 catalog
configurations:
- description: Exported plugins
  includePlugins:
    cloudbees-request-filter:
      version: '1.7'

  • plugins.yaml

plugins:
  - {id: "cloudbees-request-filter"}

More information about how to use CasC can be found in the CloudBees documentation:

Upgrade the SAML plugin to a version with the fix

Instead of manually upgrading the SAML plugin with the fix included, which will imply a restart of the instance, CloudBees recommends using the Resquest Filter mitigation previously explained, and perform an upgrade of you current release by reaching out for an Assisted Update.

However, if you prefer to manually install a fixed version of the SAML plugin, complete the procedure below.

  1. Download the SAML plugin for your version of CI.

    CloudBees CI version Plugin version that should be installed Plugin version to upgrade (fix included)

    2.249.1.2

    1.1.7

    1.1.8

    2.249.2.3

    1.1.7

    1.1.8

    2.249.2.4

    1.1.7

    1.1.8

    2.249.3.1

    1.1.7

    1.1.8

    2.249.3.2

    1.1.7

    1.1.8

    2.249.3.2

    1.1.7

    1.1.8

    2.249.3.3

    1.1.7

    1.1.8

    2.263.1.2

    1.1.7

    1.1.8

    2.263.2.2

    1.1.7

    1.1.8

    2.263.2.3

    1.1.7

    1.1.8

    2.263.4.1

    1.1.7

    1.1.8

    2.263.4.2

    1.1.7

    1.1.8

    2.277.1.2

    1.1.7

    1.1.8

    2.277.2.3

    2.0.2

    2.0.3.1

    2.277.3.1

    2.0.2

    2.0.3.1

    2.277.4.2

    2.0.3

    2.0.3.1

    2.277.4.3

    2.0.3

    2.0.3.1

    2.277.4.4

    2.0.3

    2.0.3.1

    2.289.1.2

    2.0.3

    2.0.3.1

    2.289.2.2

    2.0.3

    2.0.3.1

    2.289.2.3

    2.0.3

    2.0.3.1

    2.289.3.2

    2.0.3

    2.0.3.1

    2.303.1.5

    2.0.3

    2.0.3.1

  2. Go to Manage Jenkins -> Manage Plugins.

  3. Select the Advanced tab.

  4. Under Upload Plugin, select Choose File and then select the saved plugin file (saml.hpi).

  5. Click Upload.

  6. Go to Manage Jenkins -> Beekeeper Upgrade Assistant -> CAP Configuration and ensure that Allow automatic downgrades of plugins on restart is disabled (not checked). This will prevent the SAML plugin from being downgraded when you restart.

  7. Restart Jenkins (https://JENKINS_URL/restart)