The Total Economic Impact of CloudBees - commissioned study shows cost savings of $30.9 million using CloudBees for CI/CD →

CloudBees Security Advisory 2024-03-20

This advisory announces vulnerabilities in CloudBees CI and Jenkins

HTTP/2 denial of service vulnerability in bundled Jetty

SECURITY-3379 / CVE-2024-22201
Severity (CVSS): High
Description:

Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat.

Jenkins 2.443 and earlier, LTS 2.440.1 and earlier bundles versions of Jetty affected by the security vulnerability CVE-2024-22201. This vulnerability allows unauthenticated attackers to cause a denial of service.

This only affects instances that enable HTTP/2, typically using the --http2Port argument to java -jar jenkins.war or corresponding options in service configuration files. It is disabled by default in all native installers and the Docker images provided by the Jenkins project.

Jenkins 2.444, LTS 2.440.2 updates the bundled Jetty to version 10.0.20, which is unaffected by these issues.

Administrators unable to update to these releases of Jenkins (or newer) are advised to disable HTTP/2.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.440.2.1

  • CloudBees Cloud Platforms should be upgraded to 2.440.2.1

More Security Advisories

From code to customer.

Continuously advancing your business.

© 2024 CloudBees, Inc., CloudBees® and the Infinity logo® are registered trademarks of CloudBees, Inc. in the United States and may be registered in other countries. Other products or brand names may be trademarks or registered trademarks of CloudBees, Inc. or their respective holders.