On Wed, Apr 18, 2018 at 7:26 AM Eric Fetzer <[email protected]> wrote:
> Sorry Mark, not sure if you see "SECURITY-624" in the Table I posted. > Here's the Jenkins Security Advisory: > > https://jenkins.io/security/advisory/2017-12-05/ > > But then the Jenkins change log shows that with version 2.107, this was > addressed (more than just a work around): https://jenkins.io/changelog/. > We are at 2.107.1, but the scan is still tagging us on this issue. > > As far as I can tell, SECURITY-624 reported an XSS vulnerability in the Ant plugin (and incorrectly reported an XSS vulnerability in Jenkins core). The 2017-12-05 advisory <https://jenkins.io/security/advisory/2017-12-05/> reported that it was unresolved and provided a workaround. The 2018-01-22 advisory <https://jenkins.io/security/advisory/2018-01-22/#xss-vulnerability-in-job-configuration-forms-in-ant-plugin> notes that the problem was specific to Ant plugin versions 1.7 and prior and is fixed in Ant plugin 1.8. That advisory lists other plugins and their versions, though does not mention if any of those plugins are affected by the XSS vulnerability. The 2.89.4 LTS changelog <https://jenkins.io/changelog-stable/#v2.89.4> reports that changes were made in core to reduce the risk of problems like SECURITY-624. The 2.107 (weekly) changelog <https://jenkins.io/changelog/#v2.107> reports the same changes that were made in 2.89.4 LTS to reduce the risk of SECURITY-624 problems. I assume that it is not enough to upgrade Jenkins core to those versions. The Ant plugin needs to be upgraded to at least 1.8. Likewise, I would assume that the other plugins mentioned in the 2018-01-22 advisory need to be upgraded to at least those versions. Are you running new enough versions of the plugins listed in those advisories? Mark Waite > Thanks, > Eric > > On Tue, Apr 17, 2018 at 2:36 PM, Mark Waite <[email protected]> > wrote: > >> Your mail doesn't tell us what security vulnerability is believed to >> exist. >> >> Can you explain further what the report means and what you believe should >> be done? >> >> Mark Waite >> >> On Tue, Apr 17, 2018, 9:02 AM Eric Fetzer <[email protected]> wrote: >> >>> No one has any ideas about this at all? >>> >>> >>> >>> On Friday, April 13, 2018 at 12:21:36 PM UTC-6, Eric Fetzer wrote: >>>> >>>> We're getting gigged on a security scan that looking at Jenkins >>>> documentation, should not be happening. The scan is turning up: >>>> >>>> >>>> *Vulnerability* >>>> >>>> *Host* >>>> >>>> *IP* >>>> >>>> *Port* >>>> >>>> *201701* >>>> >>>> *201702* >>>> >>>> *201703* >>>> >>>> *201704* >>>> >>>> *201705* >>>> >>>> *201706* >>>> >>>> *201707* >>>> >>>> Jenkins JDK / Ant Tools Job Configuration Stored XSS Vulnerability >>>> (SECURITY-624) >>>> <redacted> >>>> >>>> <redacted> >>>> >>>> TCP:8080 >>>> >>>> NO >>>> >>>> NO >>>> >>>> NO >>>> >>>> NO >>>> >>>> NO >>>> >>>> NO >>>> >>>> NO >>>> >>>> >>>> In the documentation, I see 2 places where this could be turning up. >>>> Ant plugin prior to 1.8, and Jenkins version prior to 2.93. Our Jenkins >>>> version is 2.107.1 and we just upgraded our Ant plugin to 1.8. Anyone have >>>> an idea what's getting us here? >>>> >>>> Thanks, >>>> Eric >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Jenkins Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jenkinsci-users/58bf582a-a106-4f95-966a-07642c16e11c%40googlegroups.com >>> <https://groups.google.com/d/msgid/jenkinsci-users/58bf582a-a106-4f95-966a-07642c16e11c%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Jenkins Users" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/jenkinsci-users/fKY3_xmAPkk/unsubscribe >> . >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtH_8yxLHf2umcysCn1Wn7N248jMSyDXa-ybz%3D0fA6fBaw%40mail.gmail.com >> <https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtH_8yxLHf2umcysCn1Wn7N248jMSyDXa-ybz%3D0fA6fBaw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/CAByBicY5ssbsUW9QVUiKsRuqRKvc0LT8UapxRghJDo-5TOx%2B-Q%40mail.gmail.com > <https://groups.google.com/d/msgid/jenkinsci-users/CAByBicY5ssbsUW9QVUiKsRuqRKvc0LT8UapxRghJDo-5TOx%2B-Q%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtFe-inPxiSuoO%3DtHR7-usBQb96%2B-qYHbKr61_RQ01QSzA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
