Unpatched versions could expose sensitive user data
The maintainers of Jenkins have addressed a critical buffer corruption vulnerability in Jetty, a core dependency, which could expose sensitive user information.
The open source Jenkins project bundles Winstone-Jetty, a wrapper around Jetty, to act as an HTTP and servlet server when started using java-jar jenkins.war, a security advisory explains.
Affected versions of Jenkins (2.224 to 2.242) and the Long-Term Support line (2.222.1 to 2.235.4) bundle a version of Jetty that’s impacted by a previously disclosed buffer corruption vulnerability (CVE-2019-17638).
An advisory explains: “In case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice.”
Due to the double release, two threads can acquire the same ByteBuffer from the pool.
“While thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with response2 data. Thread1 then proceeds to write the buffer that now contains response2 data,” the post adds.
This could allow unauthenticated attackers to obtain HTTP response headers that could contain sensitive data, potentially exposing information including HTTP session IDs and user credentials.
The bug was classed as high severity by Jenkins staff. It has now been patched in the latest Jenkins build (2.243) and Jenkins LTS (2.235.5).
Jenkins users are urged to update to the latest versions.
The latest Jenkins security release follows an advisory/release earlier this month that addressed numerous security bugs in Jenkins core and various plugins.