[Vulnerability Warning] Jenkins Read Vulnerability of Any File

2018-07-31 15:21:55
Dear user

Dear customer, Jenkins recently issues a new official security notification on multiple security vulnerabilities, including a high risk read vulnerability (CVE-2018-1999002) of any file without Jenkins authorization. This vulnerability may cause server sensitive files to be obtained by an attacker thus to result in further harm to server.

In order to prevent your business from being affected, JD Cloud security team recommends that you should conduct the security self-examination in a timely manner. If your business is in the affecting scope, please update and fix the problem in time to avoid attacks from an external attacker.

[Vulnerability Details]

There is read vulnerability of any file in the Stapler Web framework used by Jenkins. Attackers can build malicious requests without obtaining identity authentication thus to read any file in Jenkins file system.

[Risk Grade]

High risk

[Affecting Versions]

Versions known to be affected include:

Jenkins weekly 2.132 and all previous versions

Jenkins LTS 2.121.1 and all previous versions

[Patch Suggestion]

It is recommended to conduct data backup and verification evaluation in advance before the change to avoid unavailability of business by the change.

Upgrade Jenkins weekly to 2.133 revision.

Upgrade Jenkins LTS to 2.121.2 revision.

Download link for new revision:https://jenkins.io/download/

[Reference Information]

Official Notification:https://jenkins.io/security/advisory/2018-07-18/

JD Cloud team

2018-07-31 15:21:55