Mitigate SECURITY-218 by disabling the CLI

Jenkins masters will need a restart after applying this change, or it will have to be separately pasted into the Script Console. Change-Id: I427d6e1a72fbe2144f3d9d9306c1cc918730e0cd
2015-11-07 02:25:36 +00:00 · 2015-11-07 02:25:36 +00:00 · 760ea2c501
commit 760ea2c501
parent 74bf1d94fa
2 changed files with 28 additions and 0 deletions
--- a/files/cli-shutdown.groovy
+++ b/files/cli-shutdown.groovy
@ -0,0 +1,13 @@
+# taken directly from https://github.com/jenkinsci-cert/SECURITY-218
+# https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli
+
+import jenkins.*;
+import jenkins.model.*;
+
+def p = AgentProtocol.all()
+p.each { x ->
+  if (x.name.contains("CLI")) p.remove(x)
+}
+
+def j = Jenkins.instance;
+j.actions.each { x -> if (x.getClass().name.contains("CLIAction")) j.actions.remove(x) }
--- a/manifests/master.pp
+++ b/manifests/master.pp
@ -219,6 +219,21 @@ class jenkins::master(
    require => File['/var/lib/jenkins/plugins/simple-theme-plugin'],
  }

+  file { '/var/lib/jenkins/init.groovy.d':
+    ensure  => directory,
+    owner   => 'jenkins',
+    group   => 'jenkins',
+    require => File['/var/lib/jenkins'],
+  }
+
+  file { '/var/lib/jenkins/init.groovy.d/cli-shutdown.groovy':
+    ensure  => present,
+    owner   => 'jenkins',
+    group   => 'jenkins',
+    source  => 'puppet:///modules/jenkins/cli-shutdown.groovy',
+    require => File['/var/lib/jenkins/init.groovy.d'],
+  }
+
  file { '/usr/local/jenkins':
    ensure => directory,
    owner  => 'root',