This advisory discusses the impact of so-called Poodle vulnerability (CVE-2014-3566) in Jenkins core.
This vulnerability allows a man-in-the-middle attacker to decrypt SSLv3 communication. See this post for the technical detail of the attack. This involves an attacker who sits in the middle of a Jenkins controller and a victim, and a victim who opens a web page controller by an attacker. By repeatedly making the victim’s browser to issue an HTTPS request to the Jenkins controller, the attacker can decrypt sensitive information such as session cookie one byte at a time.
CVE-2014-3566 is rated high. An man-in-the-middle attacker can relatively easily trick a victim into opening an unencrypted web page controlled by an attacker, and a successful exploit results in a compromise of the Jenkins controller and/or loss of data.
All versions of Jenkins released to date is vulnerable, but only if all the following conditions are met:
You are using the built-in Winstone container by running Jenkins like
java -jar jenkins.war … (this includes everyone who installed Jenkins via a package manager such as deb, rpm, msi, and so on.)
You enable the HTTPS protocol by adding the
Jenkins 1.585, which is expected to ship in Oct 19th, will contain this fix.
Jenkins 1.580.1, which is expected to ship in Oct 29th, will contain this fix.
This issue and its fix is currently tracked as JENKINS-25169.
While we are working on releasing the new versions that incorporate the fix, you can change the way you run Jenkins today to get the fix on the version of Jenkins you are currently using:
Download winstone.jar v2.8, which contains the fix
Where you run
java -jar path/to/jenkins.war …, change this to
java -jar winstone.jar --warfile=path/to/jenkins.war …
This version of Winstone fixes the vulnerability by disabling SSLv3 entirely.