DoS vulnerability in bundled XStream library
SECURITY-2602 / CVE-2021-43859 (upstream issue), CVE-2022-0538 (Jenkins-specific converters)
Jenkins 2.333 and earlier, LTS 2.319.2 and earlier is affected by the XStream library’s vulnerability CVE-2021-43859. This library is used by Jenkins to serialize and deserialize various XML files, like global and job
build.xml, and numerous others.
This allows attackers able to submit crafted XML files to Jenkins to be parsed as configuration, e.g. through the
POST config.xml API, to cause a denial of service (DoS).
Jenkins 2.334, LTS 2.319.3 updates the version of the XStream library used.
Additionally, custom collection converters defined in Jenkins have been updated to apply the same DoS detection as those defined in XStream.
IMPORTANT: While the XStream dependency has been updated previously in the 2.333 weekly release, the Jenkins-specific changes in 2.334 are necessary for Jenkins to be protected.
NOTE: Denial of service is detected via unexpectedly long-running collection-related operations. In case of very complex configurations, it is possible that there are false positive detections. Set the Java system property
hudson.util.XStream2.collectionUpdateLimit to a number of seconds that a given XML file can take to load collections. Use
-1 to disable this protection entirely.
CloudBees Traditional Platforms should be upgraded to 2.319.3.3
CloudBees Cloud Platforms should be upgraded to 2.319.3.3
CloudBees Jenkins Enterprise should be upgraded to 2.319.3.3 the Managed Masters and Operations Center
CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z)) should be upgraded to 2.319.3.3 version
CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.277.x.0.z)) should be upgraded to 2.2126.96.36.199 version
CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.303.x.0.z)) should be upgraded to 2.303.30.0.5 version