Security Advisories

CloudBees Security Advisory2023-10-18

This advisory announces vulnerabilities in 

,

and

CloudBees CI

,

and

Jenkins

HTTP/2 denial of service vulnerability in bundled Jetty

SECURITY-3291 / CVE-2023-36478, CVE-2023-44487

Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H]

Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat.

CloudBees CI 2.414.2.2 and earlier, Jenkins 2.427 and earlier, LTS 2.414.2 and earlier bundles versions of Jetty affected by the security vulnerabilities CVE-2023-36478 and CVE-2023-44487. These vulnerabilities allow unauthenticated attackers to cause a denial of service.

Note: This only affects instances that enable HTTP/2, typically using the --http2Port argument to java -jar jenkins.war or corresponding options in service configuration files. It is disabled by default in all native installers, Docker images and Helm charts provided by CloudBees and the Jenkins project.

CloudBees CI 2.414.3.7, Jenkins 2.428, LTS 2.414.3 updates the bundled Jetty to version 10.0.17, which is unaffected by these issues.

Administrators unable to update to these releases of CloudBees CI or Jenkins (or newer) are advised to disable HTTP/2.

commons-httpclient Library Vulnerability

BEE-39003 / CVE-2012-5783

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L]

The commons-httpclient library used in WebDAV and Azure stores (transitively through com.sun.jersey:jersey.client) is vulnerable to man in the middle (MITM) attacks.
The fix removes the commons-httpclient library and uses the native Java HttpClient.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.414.3.7.
  • CloudBees Cloud Platforms should be upgraded to 2.414.3.7.

Subscription confirmed

You'll now be notified automatically when new vulnerabilities
are disclosed