[JENKINS-55659] Tool downloads are vulnerable to tampering - Jenkins Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Minor
Resolution: Unresolved
Component/s: core
Labels:
- security-hardening
Environment:
Not relevant

Similar Issues:

Show

Description

List of references to external tools on update site are neither signed or hashed. This makes tools installer vulnerable to tampering. First content should be signed to prevent malicious third parties from modifying it and redirecting jenkins to download from unknown sources. Contents of urls should also be hashed to prevent malicious modifications at download source.

Attachments

Activity

Ascending order - Click to sort in descending order

Daniel Beck added a comment - 2019-01-18 08:31

List of references to external tools on update site are neither signed or hashed. This makes tools installer vulnerable to tampering. First content should be signed to prevent malicious third parties from modifying it and redirecting jenkins to download from unknown sources.

You're describing how it works today. In fact, INFRA-1944 demonstrates that Jenkins cares a lot about the signatures.

Contents of urls should also be hashed to prevent malicious modifications at download source.

Reasonable RFE. Likely not possible to do in core, but rather up to individual implementations.

Daniel Beck added a comment - 2019-01-18 08:31 List of references to external tools on update site are neither signed or hashed. This makes tools installer vulnerable to tampering. First content should be signed to prevent malicious third parties from modifying it and redirecting jenkins to download from unknown sources. You're describing how it works today. In fact, INFRA-1944 demonstrates that Jenkins cares a lot about the signatures. Contents of urls should also be hashed to prevent malicious modifications at download source. Reasonable RFE. Likely not possible to do in core, but rather up to individual implementations.

Daniel Beck added a comment - 2019-01-18 08:34

Notably, a while back we moved all possible URLs to HTTPS to further limit problems. Since we're not actually providing the binaries ourselves, providing content hashes seems to invite problems in case they're ever (legitimately) changed.

Daniel Beck added a comment - 2019-01-18 08:34 Notably, a while back we moved all possible URLs to HTTPS to further limit problems. Since we're not actually providing the binaries ourselves, providing content hashes seems to invite problems in case they're ever (legitimately) changed.

Sami Korhonen added a comment - 2019-01-18 11:28 - edited

Is there an api in jenkins that plugins are using to download tools? If so, would it be possible to add feature similar to scripts? (script security) Having administrators approve tool installs and checksums might not be such a bad idea

Sami Korhonen added a comment - 2019-01-18 11:28 - edited Is there an api in jenkins that plugins are using to download tools? If so, would it be possible to add feature similar to scripts? (script security) Having administrators approve tool installs and checksums might not be such a bad idea

Daniel Beck added a comment - 2019-01-18 11:37

If you don't trust the publicly provided installer URLs, don't configure them. You can always use the "Download an extract a zip file" installer at a location you control.

Daniel Beck added a comment - 2019-01-18 11:37 If you don't trust the publicly provided installer URLs, don't configure them. You can always use the "Download an extract a zip file" installer at a location you control.

People

Assignee:: Unassigned

Reporter:: Sami Korhonen

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2019-01-17 17:20

Updated:: 2019-01-18 11:37