Mitigating CVE-2023-27898 XSS vulnerability in plugin manager and related

Using Jenkins Ask a question
,
1

I am somewhat spooked by:
XSS vulnerability in plugin manager SECURITY-3037 / CVE-2023-27898
and the the other CVE announced 2023-03-08.

I read on HackerNews: Jenkins Security Alert: New Security Flaws Could Allow Code Execution Attacks

Since it’s also a case of stored XSS wherein the JavaScript code is injected into the server, the vulnerability can be activated without having to install the plugin or even visit the URL to the plugin in the first place.

Troublingly, the flaws could also affect self-hosted Jenkins servers and be exploited even in scenarios where the server is not publicly accessible over the internet since the public Jenkins Update Center could be “injected by attackers.”

I’m sure I’m not the only one is the boat run aground in that we cannot upgrade our Jenkins because some plugins, the TFS plugin specifically are not compatible with 2.277.1+.

We are in position where we pretty much cannot upgrade ANY more plugins as something/everything depends on a higher Jenkins core. As such, we presently have no use for the Update Center on those instances.

Assuming the reporting is accurate and even "not publicly accessible " instances are vulnerable (our instances are all on-prem and not accessible externally), is there a mechanism to entirely disable the Available updates functionality to help protect us? Perhaps an invalid url in hudson.model.UpdateCenter.xml ?

Any guidance is most appreciated.

2

I don’t think your concerns are valid, at least based on my reading of the security advisory where it says:

Jenkins community update sites no longer publish plugin releases with invalid Jenkins core dependencies since 2023-02-15. This prevents exploitation through those update sites even on versions of Jenkins older than 13 months (emphasis added). Additionally, the Jenkins security team has confirmed that no plugin release with a core dependency manipulated to exploit this vulnerability has ever been published by the Jenkins project.

So long as you’re using the community update sites, your controller is not at risk. In order to exploit the vulnerability, the Jenkins community update site would need to publish a plugin with an invalid Jenkins core dependency. Since 2023-02-15, the update site disallows that.

I’m not a member of the security team, so I may be incorrect in my interpretation of the advisory.

I think you should be more concerned that you’re dependent on a plugin with known security vulnerabilities (TFS) and are using Jenkins controllers with known security vulnerabilities. This seems like a good time to ask your company to sponsor a developer to adopt the TFS plugin, fix the security issues, modernize it, and release it.