Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-57005

Security warning: Credentials stored in plain text

    Details

    • Similar Issues:
    • Released As:
      1.5.0

      Description

      A security warning for the HockeyApp Plugin is displayed on my Jenkins server:

      Warnings have been published for the following currently installed components.
      HockeyApp Plugin 1.4.0:
          Credentials stored in plain text
      

      I am running Jenkins v 2.164.2, and HockeyApp plugin 1.4.0.

       

       

        Attachments

          Activity

          Hide
          mezpahlan Mez Pahlan added a comment -

          Zach Olbrys thank very much. From what I can understand by speaking to the Jenkins security team this is to be expected. I am supposed to advise people that because the credentials were stored in plain text at some time in the past that they should be considered compromised. With this patch they should be fine going forward but there is no way in Jenkins to uncompromise something that was already compromised. So I have been told to advise users to update their credentials and re save them using the new plugin.

          Now.... I've also been told that this security hole requires admin access to your Jenkins server where you can read the secrets so I would leave it up to you as to whether you want to rush to change the token.

          Can I double check how your job runs? Is it via the a pipeline or is it freestyle? I'll prep some release notes and issue this later today.

          Many many thanks again

          Show
          mezpahlan Mez Pahlan added a comment - Zach Olbrys thank very much. From what I can understand by speaking to the Jenkins security team this is to be expected. I am supposed to advise people that because the credentials were stored in plain text at some time in the past that they should be considered compromised. With this patch they should be fine going forward but there is no way in Jenkins to uncompromise something that was already compromised. So I have been told to advise users to update their credentials and re save them using the new plugin. Now.... I've also been told that this security hole requires admin access to your Jenkins server where you can read the secrets so I would leave it up to you as to whether you want to rush to change the token. Can I double check how your job runs? Is it via the a pipeline or is it freestyle? I'll prep some release notes and issue this later today. Many many thanks again
          Hide
          zolbrys Zach Olbrys added a comment -

          Understood Mez Pahlan - thanks for the notes above.  To answer your question: my jenkins job is a cron job running once a day at a specific time (or on demand).

          Show
          zolbrys Zach Olbrys added a comment - Understood Mez Pahlan - thanks for the notes above.  To answer your question: my jenkins job is a cron job running once a day at a specific time (or on demand).
          Hide
          zolbrys Zach Olbrys added a comment -

          Hi Mez Pahlan - just to clarify, is the warning supposed to be dismissed after updating the credentials/re saving them via the new plugin? I did so (and saw that my apiToken value was removed from the config.xml and replaced with an apiTokenSecret value) but I still have the warning displayed.

          Show
          zolbrys Zach Olbrys added a comment - Hi Mez Pahlan - just to clarify, is the warning supposed to be dismissed after updating the credentials/re saving them via the new plugin? I did so (and saw that my apiToken value was removed from the config.xml and replaced with an apiTokenSecret value) but I still have the warning displayed.
          Hide
          mezpahlan Mez Pahlan added a comment -

          Hi Zach Olbrys that sounds correct to me. Is there a way to dismiss the message after you have upgraded to 1.5.0? The way Jenkins works is that it doesn't provide a migration mechanism for the old insecure token storage. So unless users reconfigure their jobs like you have it won't update on disk. I think it is correct to display the message in that scenario. If you can dismiss it then that would solve it. But that's a decision each Jenkins admin should take themselves once they have reconfigured their jobs.

          If not let me know and I can do some more research. However I will advise that I'm going to be dropping this plugin in favour of a new AppCenter plugin (because Microsoft if closing the HockeyApp service and migrating all users to AppCenter) that I'm looking to release soon so I might not push any further changes to this one.

          Show
          mezpahlan Mez Pahlan added a comment - Hi Zach Olbrys that sounds correct to me. Is there a way to dismiss the message after you have upgraded to 1.5.0? The way Jenkins works is that it doesn't provide a migration mechanism for the old insecure token storage. So unless users reconfigure their jobs like you have it won't update on disk. I think it is correct to display the message in that scenario. If you can dismiss it then that would solve it. But that's a decision each Jenkins admin should take themselves once they have reconfigured their jobs. If not let me know and I can do some more research. However I will advise that I'm going to be dropping this plugin in favour of a new AppCenter plugin (because Microsoft if closing the HockeyApp service and migrating all users to AppCenter) that I'm looking to release soon so I might not push any further changes to this one.
          Hide
          zolbrys Zach Olbrys added a comment -

          Mez Pahlan I see! That makes sense.  I understand the decision to switch to the AppCenter plugin (and support it, FWIW).  Thanks for helping with this issue.

          Show
          zolbrys Zach Olbrys added a comment - Mez Pahlan I see! That makes sense.  I understand the decision to switch to the AppCenter plugin (and support it, FWIW).  Thanks for helping with this issue.

            People

            • Assignee:
              mezpahlan Mez Pahlan
              Reporter:
              zolbrys Zach Olbrys
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: