CVE-2022-43419 Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission.

This may pose a risk to API keys stored in Jenkins. It is recommended that any sensitive key be stored in a keystore or its equivalent, or be secured in a Vault, or otherwise not placed on the Jenkins server where it can be viewed by users with Extended Read permission. This issue has been fixed in jenkins katana plugin 1.0.33 and later.



A new plugin katana-userrole-config 1.0.0 has been released that stores API keys in a secured location. This new plugin will store API keys in the kataconfig.yml of the user that created the role. This allows API keys to be secured in a keystore or equivalent, or stored in a Vault, or otherwise secured.

What is the katana-userrole plugin?

The katana-userrole plugin is an add-on for Jenkins that allows users to assign a user role to Jenkins. A user role can be used to give permissions to the job step without having to update the user’s security details.

Self-Service API Access in Jenkins

API access in Jenkins is now self-service. This allows a user to create their own role and use it to access APIs on their behalf.
If a user creates an API role, they can then view the list of available APIs that are available for the given role. The default configuration will allow the permissions to be granted automatically when an API is called. But if you want to implement more granular authorization, you can set up a custom policy for each API call.
If your organization is using Jenkins in your enterprise, this new functionality could help reduce the number of opensourced plugins needed on your instance by allowing users to self-serve with just one plugin instead of needing to install many plugins depending on what they want to do with Jenkins.

Summary of Key Takeaways From This Article:

- A new plugin has been released that stores API keys in a secured location. This new plugin will store API keys in the kataconfig.yml of the user that created the role. This allows API keys to be secured in a keystore or equivalent, or stored in a Vault, or otherwise secured.
- The new plugin katana-userrole-config 1.0.0 has been released that stores API keys in a secured location.

How to fix #1: Set the default user role in Jenkins to katana-userrole-config

On Jenkins, click Manage Jenkins -> Configure System -> Default User Roles -> Katana User Role. Select the katana-userrole-config role and click Save.

Make sure the following plugins are installed: jenkins katana plugin 1.0.33 and later

Apache Jenkins and Katana

Jenkins is a continuous integration and delivery platform. The Apache Jenkins project has created several plugins to help with continuous delivery. One of the plugins is katana-userrole-config, which helps store API keys in a secured location.

The new plugin katana-userrole-config 1.0.0 has been released that stores API keys in a secured location. This new plugin will store API keys in the kataconfig.yml of the user that created the role

Timeline

Published on: 10/19/2022 16:15:00 UTC
Last modified on: 10/21/2022 03:40:00 UTC

References

• https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2846
• http://www.openwall.com/lists/oss-security/2022/10/19/3
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-43419