Jenkins, the open source continuous integration server that forked out of Oracle's Hudson project, is facing several security vulnerabilities Monday, with the Jenkins project leader recommending upgrades to the Jenkins core and some plug-ins to fix the problems.
A security advisory posted by project leader Kohsuke Kawaguchi cites four vulnerabilities, including two affecting the Jenkins core. The first vulnerability has been deemed critical. "The first vulnerability in Jenkins core allows unprivileged users to insert data into Jenkins master, which can lead to remote code execution. For this vulnerability to be exploited, the attacker must have an HTTP access to a Jenkins master, and he must have a read access to Jenkins," the security advisory said.
[ Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. ]
The second vulnerability in the core involves a cross-site scripting vulnerability, allowing an attacker to craft a URL that points to Jenkins, with an attacker able to hijack a legitimate user's session. Two other vulnerabilities, also involving cross-site scripting, affect the Violations and Continuous Integration Game plugins. The Violations plug-in scans for violation XML files in the build workspace; the Game plug-in offers tips on improving builds.
To fix the core vulnerabilities, main line users should upgrade to Jenkins 1.482, and LTS (Long-Term Support) users should upgrade to version 1.466.2. To fix the Violations plug-in, users are to upgrade to version 0.7.11 or later, while the CI game plug-in can be remedied by upgrading to 1.19 or later.
Kawaguchi said the fixes plug all known holes. "However, the nature of this game is such that someone will find a new vulnerability --- it's just a matter of when. So we encourage users, especially those who run Jenkins in a higher-risk environment (on the public Internet, in a security sensitive environment, etc.), to monitor security advisories by subscribing to the mailing list or an RSS feed."
He assuaged fears about the vulnerabilities, noting limitations. "Those who are running Jenkins inside a corporate firewall, which I think are the majority, [have] a mitigating factor, because one of the vulnerabilities requires an attacker to have an HTTP access to the Jenkins master and the other vulnerability requires the attacker to know the URL of your Jenkins. So it pretty much requires an attacker to be an insider." But he added, "Nonetheless, we recommend everyone to update to a version that contains the fix in a timely fashion."
Hudson forked out of Project Hudson in the wake of Oracle's 2010 acquisition of Sun Microsystems. Oracle has since handed Hudson over to the Eclipse Foundation.