Environment Injector Plugin 2.1.5: Exposure of sensitive build variables stored by EnvInject 1.90 and earlier
gmacario opened this issue · 8 comments
Reproduced on nemo:
- OS: Ubuntu server 16.04.3 LTS 64-bit with latest updates
- Docker version 17.12.1-ce
- docker-compose version 1.19.0, build 9e633ef
- easy-jenkins master (8af0182)
From https://jenkins.io/security/advisory/2018-02-26/#SECURITY-248
To prevent the further exposure of sensitive build variables, we recommend that you take the following steps if you are affected by this:
Disable the visualization of Injected Environment variables in the global configuration. After this change the data will be accessible only to those ones who have access to raw build.xml files. This is a reversible action that can be applied immediately, and can be reverted once you’ve purged the data on disk (below).
Remove the sensitive data from disk by manually removing corresponding entries from
injectedEnvVars.txtfiles, or deleting theinjectedEnvVars.txtfiles in old build directories.Rotate all secrets that have potentially been exposed.
(I came across this issue due to a google search)
It looks like the semantic version comparison isn't picking up the 2.1.5 plugin is newer than 1.90
If you used 1.90 in the past you're still at risk of exposing internal injected vars.
To prevent that you should delete all injectedEnvVars.txt inside jobs/
After deletion of all the injectedEnvVars.txt inside jobs/ and checking the the disable injected.. and a restart for Jenkins, we are encountering this warning message, any other steps?
After deletion of all the injectedEnvVars.txt inside jobs/ and checking the the disable injected.. and a restart for Jenkins, we are encountering this warning message, any other steps?
Unfortunately I have no other clues, just reported what I read on https://jenkins.io/security/advisory/2018-02-26/#SECURITY-248
As a matter of fact in my current setup the Jenkins master node is behind our corporate firewall therefore the risk is mitigated.
If you or anyone on this thread happen to have any suggestions about how to fix the issue, please comment below or - even better - submit appropriate https://github.com/gmacario/easy-jenkins/pulls . Thanks!
To display a warning for a Bug that does not exist anymore is really annoying this should really get fixed.
I performed a fresh install of easy-jenkins on a new machine (dory.gmacario.it) to make sure there are no older versions of the plugins lying around, but the warning is still displayed.
To display a warning for a Bug that does not exist anymore is really annoying this should really get fixed.
I concur, Pull Requests are welcome 😉
Started a clean instance of easy-jenkins master on host nemo.gmacario.it
Following instructions in https://stackoverflow.com/questions/49296119/how-to-disable-the-visualization-of-injected-environment-variables-in-jenkins
gpmacario@nemo:~/github/gmacario/easy-jenkins (master)*$ docker-compose exec -u root myjenkins /bin/bash
root@7f0598a1d6f5:/# find / -name "injectedEnvVars.txt"
find: ‘/proc/1/map_files’: Permission denied
find: ‘/proc/8/map_files’: Permission denied
find: ‘/proc/3938/map_files’: Permission denied
root@7f0598a1d6f5:/#
Browse ${JENKINS_URL} at http://nemo.gmacario.it:9080/, click Manage Jenkins then Configure Global Security
- Under
Environment Injector Plugin, check "Do not show injected variables"
-
Under
Hidden security warnings
click on
Security Warningsand then uncheckEnvironment Injector Plugin: Exposure of sensitive build variables stored by EnvInject 1.90 and earlier
-
Click "Save".
This will make sure to hide that error message so it doesn’t appear again.
After executing the steps detailed above, the warning has disappeared from ${JENKINS_URL}.
Closing issue