Security advisories

XXE vulnerability in WebSphere Deployer Plugin

SECURITY-1719 / CVE-2020-2108

WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. This could be exploited by a user with Job/Configure permissions to upload a specially crafted war file containing a WEB-INF/ibm-web-ext.xml which is parsed by the plugin.

As of publication of this advisory, there is no fix.

Security fixes

CloudBees Long-Running Build Plugin does not check permissions when stopping builds (NGPIPELINE-908)

CloudBees Long-Running Build Plugin allowed any user who could view a build of a long-running project to cancel that build. With this fix, builds of Long-Running Projects can now be canceled only by users with Job/Cancel permission for that project.

This only affects installations that use the CloudBees Long-Running Build Plugin.

Stored Cross-Site Script on CloudBees Template Plugin in Description Field (CPLT2-6166)

HTML placed in the Description area of a job or folder template would be rendered raw in the New Item dialog, posing a stored-XSS vulnerability.

This HTML is now escaped.

This only affects installations that use the CloudBees Template Plugin.

Attackers with Overall/Read, Agent/Secure, and Job/Read can associate any folder they can Job/Read with any agent they can Agent/Secure via CSRF when using the CloudBees Folders Plus Plugin (FNDJEN-1781)

To fix this issue, the use of the crumb issuer has been enforced in some methods and the web page with the authorized agents has been restricted.

This only affects installations that use the CloudBees Folders Plus Plugin.

Cloud connection test implementations allow users with Jenkins.READ permission to steal credentials (FNDJEN-1851)

Access is now protected with RequierePOST annotations and new check for permissions.

CSRF vulnerability and missing permission checks in Health Advisor by CloudBees Plugin

SECURITY-1708 / CVE-2020-2093 (CSRF), CVE-2020-2094 (missing permission check)

Health Advisor by CloudBees Plugin 3.0 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to send an email with fixed content to an attacker-specified recipient.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

Health Advisor by CloudBees Plugin 3.0.1 requires POST requests and Overall/Administer permission for the affected form validation methods.

This only affects installations that use the Health Advisor by CloudBees Plugin.

New features

Configure resource domain in operations center incl. ingress

Certain Jenkins features, such as publishing user-created HTML documentation from builds, would introduce XSS vulnerabilities if implemented naïvely. Historically, Jenkins defended against this by setting the Content-Security-Policy header on user-controlled content. This breaks some legitimate use cases, such as JavaScript navigation within generated pages, so some administrators and even plugins would disable this CSP header, leaving the system vulnerable.

Recent versions of Jenkins offer the ability to serve such content from alternate domains as an alternative without the limitations of CSP. CloudBees Core on modern cloud platforms now makes it particularly convenient to set up such a system, by managing ingress and configuring Managed Masters to use it. The administrator need only ensure that the DNS record for CloudBees Core, and associated TLS certificates, lists the alternate resource domain, and configure one field in master provisioning settings.

Specifying a matrix of one or more dimensions (NGPIPELINE-378)

The Declarative Pipeline Matrix directive allows users to execute a set of one or more Pipeline stages multiple times-once for every combination defined in the matrix. Matrix combinations are generated from static lists of predefined values. Filters can also be provided to exclude specific combinations.

Feature enhancements

Telemetry

The CloudBees Analytics Plugin collects metrics for analysis to help CloudBees make decisions about future product direction. The collected data is used to evaluate patterns of usage of our products.

For details about what data is collected, see Data collection for the CloudBees Analytics Plugin.

Resolved issues

$best_http_port no longer valid in nginx-ingress-controller 0.25.1 and later (CPLT2-6156)

When browsing http:/<domain-name/ the redirection to operations center is incorrect. This is due to a change that happened in recent nginx-ingress-controller versions that the CloudBees Core on modern cloud platforms} Helm chart was depending on.

Use the actual domain name to redirect without relying on the nginx-ingress variable to fix the redirection.

Evaluate storage-class usage and creation (CPLT2-5730)

When using Persistence.StorageClass in Helm values, it is only provided to operations center} and not to Managed Masters.

Apply the value to Managed Masters in addition to operations center. Also, on GKE, based on the given OperationsCenter.Platform value, a default storage class using SSDs is created and used by default.

/etc/issue refers to US government in new UBI images (CPLT2-6174)

A security hardening script added a text file to CloudBees Core} Docker images, implying that the image was to be used only by the United States government.

The misleading file was removed from the images.

KubernetesCloud copy constructor is not copying all fields (CPLT2-6168)

Some fields of the Kubernetes shared cloud configuration are not propagated to Managed Masters.

All fields are now propagated to Managed Masters.

NPE from KubernetesMasterProvisioning$DescriptorImpl.redirect (CPLT2-6165)

A NullPointerException could be printed to the operations centerlog file while creating a new Managed Master, temporarily affecting display.

Avoid the exception.

ATH failure in Gradle plugin (FNDJEN-1532)

Updated to version 1.35 of Gradle plugin to fix the failure as well as improve pipeline support.

Connection to S3 for backup with HTTP only (no SSL) not working (CTR-1030)

This only affects installations that use the CloudBees Backup Plugin.

When overriding an S3 endpoint with a custom endpoint that used the HTTP protocol only, the URL was prefixed by "https://" and ended with an SSL error. With this fix, when an endpoint has only the HTTP protocol set and HTTPS is not present, then the URL begins with "http://".

Update pipeline-build-step to 2.10 and workflow-cps to 2.78 (NGPIPELINE-878)

This only affects installations that use the Pipeline: Build Step and Pipeline: Groovy plugins.

When the build step failed because the downstream build failed, it always reported failure, instead of the actual result of the downstream build. With this fix, the build step now reports the actual result of the downstream build when using the propagate option.

Known issues

None.

Upgrade notes

End of life announcement

After assessing the viability of our supported plugins, CloudBees ended support for the CloudBees VMware Pool Autoscaling Plugin on April 30, 2020.

This end-of-life announcement allows CloudBees to focus on driving new technology and product innovation as well as maintaining existing products that are actively used by customers.

For more information regarding this end-of-life announcement, please contact your Customer Success Manager.

Revisions

Revision 2 (2020-02-12)

CloudBees Security Advisory 2020-02-12