This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins 2.333 and earlier, LTS 2.319.2 and earlier is affected by the XStream library’s vulnerability CVE-2021-43859.
This library is used by Jenkins to serialize and deserialize various XML files, like global and job
build.xml, and numerous others.
This allows attackers able to submit crafted XML files to Jenkins to be parsed as configuration, e.g. through the
POST config.xml API, to cause a denial of service (DoS).
Jenkins 2.334, LTS 2.319.3 updates the version of the XStream library used.
Additionally, custom collection converters defined in Jenkins have been updated to apply the same DoS detection as those defined in XStream.
|While the XStream dependency has been updated previously in the 2.333 weekly release, the Jenkins-specific changes in 2.334 are necessary for Jenkins to be protected.|
Denial of service is detected via unexpectedly long-running collection-related operations.
In case of very complex configurations, it is possible that there are false positive detections.
Set the Java system property
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.