FreeBSD : jenkins -- slave-originated arbitrary code execution on master servers (0dad9114-60cc-11e4-9e84-0022156e8794)

medium Nessus Plugin ID 78815

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Kohsuke Kawaguchi from Jenkins team reports :

Historically, Jenkins master and slaves behaved as if they altogether form a single distributed process. This means a slave can ask a master to do just about anything within the confinement of the operating system, such as accessing files on the master or trigger other jobs on Jenkins.

This has increasingly become problematic, as larger enterprise deployments have developed more sophisticated trust separation model, where the administators of a master might take slaves owned by other teams. In such an environment, slaves are less trusted than the master. Yet the 'single distributed process' assumption was not communicated well to the users, resulting in vulnerabilities in some deployments.

SECURITY-144 (CVE-2014-3665) introduces a new subsystem to address this problem. This feature is off by default for compatibility reasons. See Wiki for more details, who should turn this on, and implications.

CVE-2014-3566 is rated high. It only affects installations that accept slaves from less trusted computers, but this will allow an owner of of such slave to mount a remote code execution attack on Jenkins.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?c3ec4fdc

http://www.nessus.org/u?3ea19aad

https://www.cloudbees.com/jenkins-security-advisory-2014-10-30

http://www.nessus.org/u?0c66c9d8

Plugin Details

Severity: Medium

ID: 78815

File Name: freebsd_pkg_0dad911460cc11e49e840022156e8794.nasl

Version: 1.6

Type: local

Published: 11/3/2014

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:jenkins, p-cpe:/a:freebsd:freebsd:jenkins-lts, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 10/31/2014

Vulnerability Publication Date: 10/30/2014

Reference Information

CVE: CVE-2014-3665