On July 18, 2018, Jenkins released its latest security bulletin and announced multiple security vulnerabilities. SECURITY-914 is an arbitrary file read vulnerability reported by Orange.

Attackers can exploit this critical vulnerability to read arbitrary files on Windows servers and, under specific conditions, read files on Linux servers. Attackers can also obtain credential information in Jenkins systems and therefore expose sensitive user information. Some credentials may be user passwords, which enable the attackers to log on to the Jenkins systems and execute commands.

CVE ID

CVE-2018-1999002

Vulnerability name

Arbitrary file read vulnerability in Jenkins

Vulnerability description

An arbitrary file read vulnerability in the Stapler web framework used by Jenkins allows unauthenticated users to send crafted HTTP requests. The requests return the contents of any file on the Jenkins master file system that is accessible by the Jenkins master process.

For more information about this vulnerability, visit Jenkins security advisory.

Affected versions

  • Jenkins weekly 2.132 and earlier
  • Jenkins LTS 2.121.1 and earlier

Solution

  • Upgrade Jenkins weekly to 2.133.
  • Upgrade Jenkins LTS to 2.121.2.

Protection recommendations

If you do not want to upgrade Jenkins to fix this vulnerability, we recommend that you use the custom protection policy feature provided by WAF to protect your business.

You can use this feature to create a rule that blocks requests whose header field Accept-Language contains ... /. This prevents attackers from exploiting this vulnerability to read arbitrary files by using directory traversal.rule

Protective effects

Based on the custom protection policy, WAF blocks the HTTP request that attempts to exploit the vulnerability.
Note For more information about the custom protection policy feature, see Create a custom protection policy.