On July 18, 2018, Jenkins released the latest security advisory and announced multiple vulnerabilities. SECURITY-914 is an arbitrary file read vulnerability reported by Orange.

Attackers can exploit this vulnerability to read any file on a Window server and under specific conditions, read files on a Linux server. Attackers can also obtain credential information in Jenkins systems and therefore expose sensitive user information. Some credentials may be user passwords, which enable the attackers to log on to Jenkins systems and execute commands.

CVE number

CVE-2018-1999002

Vulnerability name

Jenkins arbitrary file read

Description

The Stapler Web framework used by Jenkins contains an arbitrary file read vulnerability. Unauthenticated attackers can send crafted HTTP requests to read the contents of any file on the Jenkins master file system that the Jenkins master process has access to.

For more information about this vulnerability, see Jenkins security advisory.

Affected versions

  • Jenkins weekly 2.132 and earlier versions
  • Jenkins LTS 2.121.1 and earlier versions

Fix

  • Upgrade Jenkins weekly to version 2.133.
  • Upgrade Jenkins LTS to 2.121.2.

Protection tips

If you do not want to upgrade Jenkins to resolve this vulnerability, we recommend that you use the HTTP ACL Policy feature provided by WAF to protect your business.

You can create a rule to block requests whose header field Accept-Language contains .. /. This prevents attackers from launching directory traversal attacks to read arbitrary files on your servers.

Result

Based on the access control rule, WAF blocks the request that attempts to exploit the vulnerability.
Note For more information about access control rules, see Precise access control.