Critical Jenkins vulnerability can cause memory corruption and disclose sensitive information

Jenkins, an open-source automation server software released an advisory pertaining to a critical vulnerability present in its application. Jenkins enables developers to build, test, and deploy applications. This vulnerability tracked as  CVE-2019-17638 when exploited can result in memory corruption and can disclose sensitive information. It allows any unauthenticated attacker to obtain sensitive information via response headers.

According to advisory “Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat.”


CVE-2019-17638

Jenkins had added a mechanism to the Jetty version 9.4.27 that can handle large HTTP response headers which in turn prevents buffer overflow. The flaw was present in the header buffer since the field was not set to NULL.

To handle buffer overflow, Jetty throws an Exception to generate an HTTP error 431, which stands for  “Request Header Fields Too Large“. This causes the HTTP response headers to be released to the buffer pool twice, causing memory corruption and information disclosure.

Due to duplicate response header being generated by Jetty, two threads can simultaneously acquire the same buffer from the pool. This can result in one thread accessing information corresponding to the data of the second thread which can include session identifiers, authentication credentials, or other sensitive information.

For example, since the 2 threads can write data to the same pool, it can cause user A data to be written to user B, resulting in session data of A to be accessible to user B.


Affected products
Jenkins LTS before 2.235.5
Jenkins before 2.243


Solution
Jenkins has released updates to fix this critical vulnerability.

SanerNow security content has been published to detect this vulnerability. We strongly recommend installing Jenkins security updates without any delay.

Subscribe For Latest Updates

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
Summary
Critical Jenkins vulnerability can cause memory corruption and disclose sensitive information
Article Name
Critical Jenkins vulnerability can cause memory corruption and disclose sensitive information
Author
Publisher Name
Secpod Technologies
Publisher Logo

Leave a Reply

Your email address will not be published. Required fields are marked *