Issue
-
On August 31st, 2021, CloudBees announced a security advisory that included the Jenkins security issue SECURITY-2469/CVE-2021-21678. As a mitigation to the security issue, I want to block access to a known vulnerable URL pattern on my controllers and operations center.
Environment
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Operations center
-
CloudBees CI (CloudBees Core) on traditional platforms - Client controller
-
CloudBees CI (CloudBees Core) on traditional platforms - Operations center
-
CloudBees Jenkins Enterprise - Managed controller
-
CloudBees Jenkins Enterprise - Operations center
Resolution
The fastest way to mitigate this security vulnerability is to use the CloudBees Request Filter Plugin to block the problematic URL pattern. In case that you are using Configuration as Code, it can be used to both, automate the installation of the CloudBees Request Filter Plugin, and to create the URL pattern.
This mitigation is required on the operations center and on every controller connected to the operations center where the SAML plugin is installed and enabled.
For standalone controllers not connected to the operations center, the mitigation is required if the SAML plugin is installed and enabled.
Blocking access to vulnerable URLs with the CloudBees Request Filter plugin
To mitigate the Jenkins security issue SECURITY-2469, you can use the CloudBees Request Filter plugin to block access to a URL pattern that is known to be vulnerable. This process does not require an upgrade or a restart.
CloudBees recommends that all customers perform the steps in this article as soon as possible, to ensure you are protected from the vulnerability. Then, once you have completed these steps, you can plan for and test an upgrade to the versions containing the fix by contacting CloudBees for an Assisted Upgrade. Once you have upgraded to a version containing the mitigation, you can remove the Request Filtering pattern that was created for the mitigation in this article.
Installing and configuring the mitigation on the operations center
Complete the following procedures if the SAML plugin is installed and enabled on the operations center.
Install the CloudBees Request Filter plugin
If you don’t have the CloudBees Request Filter plugin, you must first download and install it.
-
Download the CloudBees Request Filter plugin for your version of the operations center and save it locally.
Operations center version Plugin version 2.235.2.3 or newer
2.107.1.2 to 2.235.2.3 (not included)
2.73.1.2 to 2.107.1.2 (not included)
before 2.73.1.2
-
Go to Manage Jenkins -> Manage Plugins.
-
Select the Advanced tab.
-
Under Upload Plugin, select Choose File and then select the saved plugin file (
cloudbees-request-filter.hpi
). -
Select Upload.
Configure the Request Filter plugin
Once you have downloaded and installed the Request Filter plugin, you can configure it to block URLs.
-
Go to Manage Jenkins -> Configure System.
-
In the Request Filtering section, select Add rule.
-
In the URI pattern field, enter the following regex pattern:
.+[/\\]securityRealm[/\\]finishLogin.*
-
Select Custom response, and then complete the following fields:
-
Under Response Code, enter
403
. -
Under Content Type, leave
text/html
. -
Under Content, enter the following:
<h1>Forbidden call</h1> For more information, please visit the <a href="https://cloudbees.com/r/support/cloudbees-security-advisory-2021-08-31">following page</a> or <a href="https://support.cloudbees.com">contact CloudBees support</a> mentioning SECURITY-2469.
-
-
Select Save.
Installing and configuring the mitigation on a standalone controller
Complete the following procedures for any standalone controllers that have the SAML plugin installed and enabled.
Install the CloudBees Request Filter plugin
If you don’t have the CloudBees Request Filter plugin, you must first download and install it.
-
Go to Manage Jenkins -> Manage Plugins.
-
Select the Available tab.
-
Search for CloudBees Request Filter Plugin.
-
Select Install without restart.
Configure the Request Filter plugin
Once you have downloaded and installed the Request Filter plugin, you can configure it to block URLs.
-
Go to Manage Jenkins -> Configure System.
-
In the Request Filtering section, select *Add rule.
-
In URI pattern field, enter the following regex pattern:
.+[/\\]securityRealm[/\\]finishLogin.*
-
Select Custom response, and then complete the following fields:
-
Under Response Code, enter
403
. -
Under Content Type, leave
text/html
. -
Under Content, enter the following:
<h1>Forbidden call</h1> For more information, please visit the <a href="https://cloudbees.com/r/support/cloudbees-security-advisory-2021-08-31">following page</a> or <a href="https://support.cloudbees.com">contact CloudBees support</a> mentioning SECURITY-2469.
-
-
Select Save.
Installing and configuring on controllers in an operations center cluster
In any clustered environment with an Operations Center and Controllers connected to it, you will need to apply the mitigation to the CloudBees Operations Center (see Installing and Configuring on an Operations Center), as well as to the Controllers where the SAML plugin is installed and enabled.
To install and configure the CloudBees Request Filter plugin on multiple controllers managed by a CloudBees operations center, you can use a Cluster Operation.
Note: Controllers must be Running and Connected for the Cluster Operation to be successful and correctly apply the mitigation.
To create and configure a Cluster Operation:
-
On your operations center, select
New Item
and then selectCluster Operations
. -
Enter a name for the Cluster Operation (such as
Apply SECURITY-2469 to all online controllers
). -
(Optional) You can configure the Cluster Operation with
Build Triggers
->Build periodically
to run it periodically. It is safe to run the Cluster Operation multiple times on the same controllers (it is idempotent). -
In the Target Managed controllers section, add the controllers on which you want to block URLs (such as
From Operations Center Root
). -
Under
Filters
, selectAdd Filter
and then selectClient Controller / Managed Controller Is Online
. -
Add the following steps:
-
An Install plugin step with the plugin ID set to
cloudbees-request-filter
and no version (leave theVersion
field blank). Using no version instructs the system to use the most recent plugin available for the given controller. -
An Execute Groovy Script on Controller step using the following script:
import com.cloudbees.jenkins.plugins.requestfilter.* String mitigationPattern = '.+[/\\\\]securityRealm[/\\\\]finishLogin.*' int responseCode = 403 String responseContent = ''' <h1>Forbidden call</h1> For more information, please visit the <a href="https://cloudbees.com/r/support/cloudbees-security-advisory-2021-08-31">following page</a> or <a href="https://support.cloudbees.com">contact CloudBees support</a> mentioning SECURITY-2469. ''' String responseContentType = 'text/html' // Let's preserve existing configuration, if any. // Also, this code is idempotent so we can run it multiple times without worrying we'd add X times the same config List<Rule> existingRules = new ArrayList(Rules.get().getRules()) // reinstantiation needed because emptyList() is immutable if( existingRules.collect { rule -> rule.pattern } .findAll { rulePattern -> mitigationPattern.equals(rulePattern) } .isEmpty() ) { println "mitigation pattern not found, adding it" Rule mitigationRule = new Rule(mitigationPattern) mitigationRule.setResponse(new Response(responseCode,responseContentType,responseContent)) existingRules.add(mitigationRule) Rules.get().setRules(existingRules) } else { println 'mitigation pattern found, no-op' }
-
-
Select Save, and then Run.
Mitigating using Configuration as Code (CasC)
Configuration as Code could be used to mitigate this security vulnerability. The following sections explains how to use the CloudBees Request Filter Plugin to block the problematic URL pattern through CasC.
Installing and configuring the mitigation on the operations center
CloudBees customers running CloudBees CI 2.289.3.2 and later, could benefit from CasC in the operations center to mitigate this security vulnerability.
The CloudBees Request Filter Plugin is not included in the CloudBees Assurance Program (CAP), therefore, it should be included in the plugin-catalog.yaml
configuration file. However, by default, the plugin-catalog.yaml
can’t be used in the operations center unless the Java argument -Dcom.cloudbees.jenkins.cjp.installmanager.CJPPluginManager.enablePluginCatalogInOC=true
is added to the operations center startup arguments, this startup argument is not required for controllers.
Installing and configuring the mitigation on controllers
For controllers, plugin catalog is available by default and it is not necessary to add any Java argument as it happens with the operations center.
Code snippets for bundle configuration
The code snippets below are examples which shows how to apply the mitigation in a CasC bundle for both, operations center and controllers.
-
jenkins.yaml
unclassified: rules: rules: - pattern: ".+[/\\\\]securityRealm[/\\\\]finishLogin.*" response: code: 403 content: |- <h1>Forbidden call</h1> For more information, please visit the <a href="https://cloudbees.com/r/block-url-pattern">following page</a> or <a href="https://support.cloudbees.com">contact CloudBees support</a> mentioning SECURITY-2469. contentType: "text/html"
IMPORTANT NOTES
-
By applying the above filter in CasC the previous filters you had configured in the CloudBees Request Filter Plugin through the GUI will be removed. To preserve them, they must be reconfigured them with Configuration as Code.
-
You must update the version in the
bundle.yaml
for hot reload to find the new version. -
Depending on your filter, you might need to escape the corresponded characters - the code is interpreted as a
String
in Java. For example, the character\
can be escaped by adding\\
. As an exmple,.[/\\\\]securityRealm[/\\\\]finishLogin.*` results in `.[/\\]securityRealm[/\\]finishLogin.*
under Manage Jenkins -> Configure System -> Request Filtering.
-
plugin-catalog.yaml
The current example uses the version 1.7 of the CloudBees Request Filter Plugin. Adapt the version used of the CloudBees Request Filter Plugin depending on the release you are running by checking the provided table in the section Installing and configuring the mitigation on the operations center.
type: plugin-catalog version: '1' name: security-2469-catalog displayName: Simple SECURITY-2469 catalog configurations: - description: Exported plugins includePlugins: cloudbees-request-filter: version: '1.7'
-
plugins.yaml
plugins: - {id: "cloudbees-request-filter"}
More information about how to use CasC can be found in the CloudBees documentation:
Upgrade the SAML plugin to a version with the fix
Instead of manually upgrading the SAML plugin with the fix included, which will imply a restart of the instance, CloudBees recommends using the Resquest Filter mitigation previously explained, and perform an upgrade of you current release by reaching out for an Assisted Upgrade.
However, if you prefer to manually install a fixed version of the SAML plugin, complete the procedure below.
-
Download the SAML plugin for your version of CI.
CloudBees CI version Plugin version that should be installed Plugin version to upgrade (fix included) 2.249.1.2
1.1.7
2.249.2.3
1.1.7
2.249.2.4
1.1.7
2.249.3.1
1.1.7
2.249.3.2
1.1.7
2.249.3.2
1.1.7
2.249.3.3
1.1.7
2.263.1.2
1.1.7
2.263.2.2
1.1.7
2.263.2.3
1.1.7
2.263.4.1
1.1.7
2.263.4.2
1.1.7
2.277.1.2
1.1.7
2.277.2.3
2.0.2
2.277.3.1
2.0.2
2.277.4.2
2.0.3
2.277.4.3
2.0.3
2.277.4.4
2.0.3
2.289.1.2
2.0.3
2.289.2.2
2.0.3
2.289.2.3
2.0.3
2.289.3.2
2.0.3
2.303.1.5
2.0.3
-
Go to Manage Jenkins -> Manage Plugins.
-
Select the Advanced tab.
-
Under Upload Plugin, select Choose File and then select the saved plugin file (
saml.hpi
). -
Click Upload.
-
Go to Manage Jenkins -> Beekeeper Upgrade Assistant -> CAP Configuration and ensure that
Allow automatic downgrades of plugins on restart
is disabled (not checked). This will prevent the SAML plugin from being downgraded when you restart. -
Restart Jenkins (
https://JENKINS_URL/restart
)