Buffer overflow flaw on Jenkins server. Update your servers ASAP

Developers of the popular open source automation server software Jenkins issued a warning about a critical vulnerability on the Jetty web server whose exploitation could cause memory corruption and leaks of sensitive information.

The vulnerability, tracked as CVE-2019-17638, received a score of 9.4/10 on the Common Vulnerability Scoring System (CVSS) scale and is present in all versions between Eclipse Jetty 9.4.27.v20200227 and 9.4.29.v20200521, a Jetty wrapper, to act as an HTTP server and servlet when you start using java -jar jenkins.war. This is how Jenkins runs when using any of the installers or packages, but not when running with servlet containers like Tomcat”, it is read in the warning.

Esta imagen tiene un atributo ALT vacío; su nombre de archivo es jenkins18082020.jpg

According to the report, the vulnerability would allow unauthenticated threat actors to obtain HTTP response headers that might include sensitive data intended for another user. The flaw would have been introduced in Jetty version 9.4.27, which added a function to manage large HTTP response headers and prevent buffer overflow.

“Updating fixed the buffer overflow, but the field was not aborted,” said Greg Wilkins, Project Manager Jetty. “The solution causes HTTP response headers to be published to the buffer pool twice, resulting in memory corruption and information disclosure,” Wilkins adds.

In a recently detected exploit case, memory corruption made it possible for clients to move between sessions, so they gained access to accounts because a user’s authentication cookies ended up in the hands of another user. The version of Jetty 9.4.30.v20200611, released last month, contains the necessary fixes.  It is recommended that Jenkins users update vulnerable deployments to mitigate the risk of exploiting this vulnerability.