September 17, 2012, 4:48 PM — Jenkins, the open source continuous integration server that forked out of Oracle's Hudson project, is facing several security vulnerabilities Monday, with the Jenkins project leader recommending upgrades to the Jenkins core and some plug-ins to fix the problems.
A security advisory posted by project leader Kohsuke Kawaguchi cites four vulnerabilities, including two affecting the Jenkins core. The first vulnerability has been deemed critical. "The first vulnerability in Jenkins core allows unprivileged users to insert data into Jenkins master, which can lead to remote code execution. For this vulnerability to be exploited, the attacker must have an HTTP access to a Jenkins master, and he must have a read access to Jenkins," the security advisory said.
[ Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. ]
The second vulnerability in the core involves a cross-site scripting vulnerability, allowing an attacker to craft a URL that points to Jenkins, with an attacker able to hijack a legitimate user's session. Two other vulnerabilities, also involving cross-site scripting, affect the Violations and Continuous Integration Game plugins. The Violations plug-in scans for violation XML files in the build workspace; the Game plug-in offers tips on improving builds.
To fix the core vulnerabilities, main line users should upgrade to Jenkins 1.482, and LTS (Long-Term Support) users should upgrade to version 1.466.2. To fix the Violations plug-in, users are to upgrade to version 0.7.11 or later, while the CI game plug-in can be remedied by upgrading to 1.19 or later.
Kawaguchi said the fixes plug all known holes. "However, the nature of this game is such that someone will find a new vulnerability --- it's just a matter of when. So we encourage users, especially those who run Jenkins in a higher-risk environment (on the public Internet, in a security sensitive environment, etc.), to monitor security advisories by subscribing to the mailing list or an RSS feed."