CloudBees Security Advisory 2022-09-09

This advisory announces vulnerabilities in CloudBees CI, Jenkins and CloudBees Jenkins Platform

HTTP/2 denial of service vulnerability in bundled Jetty

SECURITY-2868 / CVE-2022-2048
Severity (CVSS): High
Description:

Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat.

Jenkins LTS 2.346.3 and earlier, 2.362 and earlier bundle versions of Jetty affected by the security vulnerability CVE-2022-2048. This vulnerability allows unauthenticated attackers to make the Jenkins UI unresponsive by exploiting Jetty’s handling of invalid HTTP/2 requests, causing a denial of service.

Note: This only affects instances that enable HTTP/2, typically using the --http2Port argument to java -jar jenkins.war or corresponding options in service configuration files. It is disabled by default in all native installers and the Docker images provided by the Jenkins project.

Jenkins LTS 2.361.1 updates the bundled Jetty to version 10.0.11, which is unaffected by this issue.

Jetty was already previously updated to version 10.0.11 in the 2.363 weekly release.

Administrators unable to update to these releases of Jenkins (or newer) are advised to disable HTTP/2.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.346.4.1 or 2.361.1.2

  • CloudBees Cloud Platforms should be upgraded to 2.346.4.1 or 2.361.1.2

  • CloudBees Jenkins Enterprise should be upgraded to 2.346.4.1 or 2.361.1.2 the Managed Masters and Operations Center

  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z)) should be upgraded to 2.346.4.1 or 2.361.1.2 version

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.303.x.0.z)) should be upgraded to 2.303.30.0.16 version

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.346.x.0.z)) is not vulnerable as no previous release of this line bundled the affected versions of Jetty