CloudBees Security Advisory 2022-02-09

This advisory announces vulnerabilities in CloudBees CI and CloudBees Jenkins Platform

DoS vulnerability in bundled XStream library 

SECURITY-2602 / CVE-2021-43859 (upstream issue), CVE-2022-0538 (Jenkins-specific converters)

Jenkins 2.333 and earlier, LTS 2.319.2 and earlier is affected by the XStream library’s vulnerability CVE-2021-43859. This library is used by Jenkins to serialize and deserialize various XML files, like global and job config.xmlbuild.xml, and numerous others.

This allows attackers able to submit crafted XML files to Jenkins to be parsed as configuration, e.g. through the POST config.xml API, to cause a denial of service (DoS).

Jenkins 2.334, LTS 2.319.3 updates the version of the XStream library used.

Additionally, custom collection converters defined in Jenkins have been updated to apply the same DoS detection as those defined in XStream.

IMPORTANT: While the XStream dependency has been updated previously in the 2.333 weekly release, the Jenkins-specific changes in 2.334 are necessary for Jenkins to be protected.

NOTE: Denial of service is detected via unexpectedly long-running collection-related operations. In case of very complex configurations, it is possible that there are false positive detections. Set the Java system property hudson.util.XStream2.collectionUpdateLimit to a number of seconds that a given XML file can take to load collections. Use -1 to disable this protection entirely.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.319.3.3

  • CloudBees Cloud Platforms should be upgraded to 2.319.3.3

  • CloudBees Jenkins Enterprise should be upgraded to 2.319.3.3 the Managed Masters and Operations Center

  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z)) should be upgraded to 2.319.3.3 version

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.277.x.0.z)) should be upgraded to 2.277.43.0.6 version

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.303.x.0.z)) should be upgraded to 2.303.30.0.5 version