Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

The remote Red Hat Enterprise Linux CoreOS 2 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2016:1773 advisory.

  - CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix (CVE-2014-3577)

  - apache-commons-collections: InvokerTransformer code execution during deserialisation (CVE-2015-7501)

  - jenkins: Remote code execution vulnerability in remoting module (SECURITY-232) (CVE-2016-0788)

  - jenkins: HTTP response splitting vulnerability (SECURITY-238) (CVE-2016-0789)

  - jenkins: Non-constant time comparison of API token (SECURITY-241) (CVE-2016-0790)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Red Hat Enterprise Linux CoreOS 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2016:0711 advisory.

  - jenkins: Remote code execution vulnerability in remoting module (SECURITY-232) (CVE-2016-0788)

  - jenkins: HTTP response splitting vulnerability (SECURITY-238) (CVE-2016-0789)

  - jenkins: Non-constant time comparison of API token (SECURITY-241) (CVE-2016-0790)

  - jenkins: Non-constant time comparison of CSRF crumbs (SECURITY-245) (CVE-2016-0791)

  - jenkins: Remote code execution through remote API (SECURITY-247) (CVE-2016-0792)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2016:1773 advisory.

    OpenShift Enterprise by Red Hat is the company's cloud computing     Platform-as-a-Service (PaaS) solution designed for on-premise or     private cloud deployments.

    * The Jenkins continuous integration server has been updated to upstream     version 1.651.2 LTS that addresses a large number of security issues,     including open redirects, a potential denial of service, unsafe handling of     user provided environment variables and several instances of sensitive     information disclosure. (CVE-2014-3577, CVE-2016-0788, CVE-2016-0789,     CVE-2016-0790, CVE-2016-0791, CVE-2016-0792, CVE-2016-3721, CVE-2016-3722,     CVE-2016-3723, CVE-2016-3724, CVE-2016-3725, CVE-2016-3726, CVE-2016-3727,     CVE-2015-7501)

    Space precludes documenting all of the bug fixes and enhancements in this     advisory. See the OpenShift Enterprise Technical Notes, which will be     updated shortly for release 2.2.10, for details about these changes:

    https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-     single/Technical_Notes/index.html

    All OpenShift Enterprise 2 users are advised to upgrade to these updated     packages.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An updated Jenkins package and image that include a security fix are now available for Red Hat OpenShift Enterprise 3.1.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

OpenShift Enterprise by Red Hat is the company's cloud computing Platform- as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es) :

The Jenkins continuous integration server has been updated to upstream version 1.642.2 LTS that addresses a large number of security issues, including XSS, CSRF, information disclosure, and code execution.
(CVE-2016-0788, CVE-2016-0789, CVE-2016-0790, CVE-2016-0791, CVE-2016-0792)

Refer to the changelog listed in the References section for a list of changes.

This update includes the following image :

openshift3/jenkins-1-rhel7:1.642-30

All OpenShift Enterprise 3.1 users are advised to upgrade to the updated package and image.

The remote web server hosts a version of Jenkins that is prior to 1.650, or a version of Jenkins LTS prior to 1.642.2; or else a version of Jenkins Enterprise that is 1.642.x.y prior to 1.642.2.1, 1.625.x.y prior to 1.625.16.1, or 1.609.x.y prior to 1.609.16.1. It is, therefore, affected by the following vulnerabilities :

  - An unspecified flaw exists in the Jenkins remoting     module. An unauthenticated, remote attacker can exploit     this to open a JRMP listener on the server hosting the     Jenkins master process, allowing the execution of     arbitrary code. (CVE-2016-0788)

  - A flaw exists in main/java/hudson/cli/CLIAction.java due     to improper sanitization of CRLF sequences, which are     passed via CLI command names, before they are included     in HTTP responses. An unauthenticated, remote attacker     can exploit this, via crafted Jenkins URLs, to carry out     an HTTP response splitting attack. (CVE-2016-0789)

  - The verification of user-supplied API tokens fails to     use a constant-time comparison algorithm. An     unauthenticated, remote attacker can exploit this, via     statistical methods, to determine valid API tokens,     thus facilitating a brute-force attack to gain access     to user credentials. (CVE-2016-0790)

  - The verification of user-supplied XSRF crumbs fails to     use a constant-time comparison algorithm. An     unauthenticated, remote attacker can exploit this, via     statistical methods, to determine valid XSRF crumbs,     thus facilitating a brute-force attack to bypass the     cross-site request forgery protection mechanisms.
    (CVE-2016-0791)

  - A flaw exists in groovy.runtime.MethodClosure class due     to unsafe deserialize calls of unauthenticated Java     objects to the Commons Collections library. An     authenticated, remote attacker can exploit this, by     posting a crafted XML file to certain API endpoints, to     execute arbitrary code. (CVE-2016-0792)

ID	Name	Product	Family	Severity
312023	RHCOS 2 : Red Hat OpenShift Enterprise 2.2.10 (RHSA-2016:1773)	Nessus	Red Hat Local Security Checks	critical
311997	RHCOS 3 : jenkins (RHSA-2016:0711)	Nessus	Red Hat Local Security Checks	critical
119378	RHEL 6 : Red Hat OpenShift Enterprise 2.2.10 (RHSA-2016:1773)	Nessus	Red Hat Local Security Checks	critical
119370	RHEL 7 : jenkins (RHSA-2016:0711)	Nessus	Red Hat Local Security Checks	critical
89925	Jenkins < 1.642.2 / 1.650 and Jenkins Enterprise < 1.609.16.1 / 1.625.16.1 / 1.642.2.1 Multiple Vulnerabilities	Nessus	CGI abuses	critical

Detections

Analytics

CVE-2016-0790

medium

Tenable Plugins

critical

critical

critical

critical

critical