Jenkins, an open-source automation server software released an advisory pertaining to a critical vulnerability present in its application. Jenkins enables developers to build, test, and deploy applications. This vulnerability tracked as CVE-2019-17638 when exploited can result in memory corruption and can disclose sensitive information. It allows any unauthenticated attacker to obtain sensitive information via response headers.
According to advisory “Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat.”
Jenkins had added a mechanism to the Jetty version 9.4.27 that can handle large HTTP response headers which in turn prevents buffer overflow. The flaw was present in the header buffer since the field was not set to NULL.
To handle buffer overflow, Jetty throws an Exception to generate an HTTP error 431, which stands for “
Request Header Fields Too Large“. This causes the HTTP response headers to be released to the buffer pool twice, causing memory corruption and information disclosure.
Due to duplicate response header being generated by Jetty, two threads can simultaneously acquire the same buffer from the pool. This can result in one thread accessing information corresponding to the data of the second thread which can include session identifiers, authentication credentials, or other sensitive information.
For example, since the 2 threads can write data to the same pool, it can cause user A data to be written to user B, resulting in session data of A to be accessible to user B.
Jenkins LTS before 2.235.5
Jenkins before 2.243
Jenkins has released updates to fix this critical vulnerability.
SanerNow security content has been published to detect this vulnerability. We strongly recommend installing Jenkins security updates without any delay.