Other official information and services: www.belgium.be

Critical Jenkins Server Vulnerability Could Leak Sensitive Information

Reference:

Advisory #2020-028

Version:

1.0

Affected software:

Jenkins weekly up to and including 2.242

Jenkins LTS up to and including 2.235.4

Type:

Disclosure of Sensitive data

CVE/CVSS:

CVE-2019-17638 - CVSS: 9.4

Date:

19/08/2020

Sources

https://www.jenkins.io/security/advisory/2020-08-17/

Risks

An unauthenticated attacker is able to obtain HTTP response headers that may include sensitive data intended for another user.

Description

The vulnerability resides in the Winstone-Jetty wrapper that acts as an HTTP & Servlet server. The flaw resides in a buffer overflow that is not properly sanitized.

When the software throws an exception to throw an HTTP 431 error, it releases the HTTP response headers to the buffer pool twice.
These two threads can acquire the same buffer from the pool at the same time enabling one request to access a response written by the other thread.

This response can contain session identifiers, authentication credentials, and other sensitive information.

Recommended Actions

CERT.be recommends system administrators to apply the latest patches released by the vendor as soon as possible.
When patching, external facing systems should be prioritised.

Patched versions of the affected components are available at the Jenkins download page

Jenkins weekly releases should be updated to version 2.243
Jenkins LTS releases should be updated to version 2.235.5

link: https://www.jenkins.io/download/