Last modified: 2013-01-08 11:06:36 UTC
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04 2013-01-04 security advisory raised by Jenkins upstream publisher: -------------------------------------------------------- This vulnerability allows attacker with an HTTP access to the server to retrieve the master cryptographic key of Jenkins. This key is used to encrypt sensitive data in configuration files under $JENKINS_HOME and in the HTML forms, authenticate slaves connecting to the master, as well as the authenticate REST API access from users. An attacker can then use this master cryptographic key to mount remote code execution attack against the Jenkins master, or impersonate arbitrary users in making REST API calls. There are several factors that mitigate some of these problems that may apply to specific installations. The particular attack vector is only applicable on Jenkins instances that have slaves attached to them, and allow anonymous read access. Jenkins allows users to re-generate the API tokens. Those re-generated API tokens cannot be impersonated by the attacker. -------------------------------------------------------- Since we do not use slaves, I guess we are not vulnerable. Nonetheless, we should upgrade to the latest LTS release (1.480.2 as of this writing). Our upgrade bug is bug 41973 which also has https://rt.wikimedia.org/Ticket/Display.html?id=4049
CCing Chris and Niklas who mentioned the issue in a private email. Assigning to self since I will take of having ops to make a new Jenkins version available in our APT repository.
Depends on bug 41973 which request a Jenkins upgrade.
Faidon and I have upgraded Jenkins to LTS 1.480.2.
