Jenkins Security Advisory 2022-02-09

This advisory announces vulnerabilities in the following Jenkins deliverables:

  • Jenkins (core)

Descriptions

DoS vulnerability in bundled XStream library

SECURITY-2602 / CVE-2021-43859 (upstream issue), CVE-2022-0538 (Jenkins-specific converters)
Severity (CVSS): Medium
Description:

Jenkins 2.333 and earlier, LTS 2.319.2 and earlier is affected by the XStream library’s vulnerability CVE-2021-43859. This library is used by Jenkins to serialize and deserialize various XML files, like global and job config.xml, build.xml, and numerous others.

This allows attackers able to submit crafted XML files to Jenkins to be parsed as configuration, e.g. through the POST config.xml API, to cause a denial of service (DoS).

Jenkins 2.334, LTS 2.319.3 updates the version of the XStream library used.

Additionally, custom collection converters defined in Jenkins have been updated to apply the same DoS detection as those defined in XStream.

While the XStream dependency has been updated previously in the 2.333 weekly release, the Jenkins-specific changes in 2.334 are necessary for Jenkins to be protected.
Denial of service is detected via unexpectedly long-running collection-related operations. In case of very complex configurations, it is possible that there are false positive detections. Set the Java system property hudson.util.XStream2.collectionUpdateLimit to a number of seconds that a given XML file can take to load collections. Use -1 to disable this protection entirely.

Severity

Affected Versions

  • Jenkins weekly up to and including 2.333
  • Jenkins LTS up to and including 2.319.2

Fix

  • Jenkins weekly should be updated to version 2.334
  • Jenkins LTS should be updated to version 2.319.3

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.