Home>Blog>The Hacker News Headlines>Critical Jenkins Server Vulnerability Could Leak Sensitive Information
The Hacker News Headlines

Critical Jenkins Server Vulnerability Could Leak Sensitive Information

Jenkins Server VulnerabilityJenkins Server Vulnerability

Jenkins—a popular open-source automation server
software—published an advisory on Monday
concerning a critical vulnerability in the Jetty web server that
could result in memory corruption and cause confidential
information to be disclosed.

Tracked as CVE-2019-17638[2], the flaw has a CVSS
rating of 9.4 and impacts Eclipse Jetty versions 9.4.27.v20200227
to 9.4.29.v20200521—a full-featured tool that provides a Java HTTP
server and web container for use in software frameworks.

“Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act
as HTTP and servlet server when started using java -jar
jenkins.war. This is how Jenkins is run when using any of the
installers or packages, but not when run using servlet containers
such as Tomcat,” read the advisory.

cybersecurity

“The vulnerability may allow unauthenticated attackers to obtain
HTTP response headers that may include sensitive data intended for
another user.”

The flaw[3], which impacts Jetty and
Jenkins Core, appears to have been introduced in Jetty version
9.4.27, which added a mechanism to handle large HTTP response
headers and prevent buffer overflows.

“The issue was in the case of a buffer overflow, we released the
header buffer, but did not null the field,” Jetty’s project head
Greg Wilkins[4] said.

To handle this, Jetty throws an exception to produce an HTTP 431
error, which causes the HTTP response headers to be released to the
buffer pool twice, in turn causing memory corruption and
information disclosure.

Thus, due to the double release, two threads can acquire the
same buffer from the pool at the same time and potentially allowing
one request to access a response written by the other thread, which
may include session identifiers, authentication credentials, and
other sensitive information.

Put differently, “while thread1 is about to use the ByteBuffer to
write response1 data, thread2 fills the ByteBuffer with response2
data. Thread1 then proceeds to write the buffer that now contains
response2 data. This results in client1, which issued request1 and
expects responses, to see response2 which could contain sensitive
data belonging to client2.”

In one case, the memory corruption made it possible for clients
to move between sessions, thereby having cross-account access, as
authentication cookies from one user’s response were sent to
another user, thereby allowing user A to jump in user B’s
session.

After the security implications were disclosed, the
vulnerability was addressed in Jetty 9.4.30.v20200611 released last
month. Jenkins, which bundles Jetty via a command-line interface
called Winstone[5], has patched the
flaw[6] in its utility in
Jenkins 2.243 and Jenkins LTS 2.235.5 released yesterday.

It’s recommended that Jenkins users update their software to the
latest version to mitigate the buffer corruption flaw.

[1]

References

  1. ^
    advisory
    (www.jenkins.io)
  2. ^
    CVE-2019-17638
    (nvd.nist.gov)
  3. ^
    flaw
    (bugs.eclipse.org)
  4. ^
    Greg Wilkins
    (github.com)
  5. ^
    Winstone
    (github.com)
  6. ^
    patched the flaw
    (www.jenkins.io)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.