====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN453
_____________________________________________________________________

DATE                : 18/08/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Jenkins versions prior to
                        weekly 2.243, LTS 2.235.5.

=====================================================================
https://www.jenkins.io/security/advisory/2020-08-17/
_____________________________________________________________________


Jenkins Security Advisory 2020-08-17

This advisory announces vulnerabilities in the following Jenkins
deliverables:

    Jenkins (core)


Descriptions


Buffer corruption in bundled Jetty
SECURITY-1983 / CVE-2019-17638

Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP
and servlet server when started using java -jar jenkins.war. This is how
Jenkins is run when using any of the installers or packages, but not
when run using servlet containers such as Tomcat.

Jenkins 2.224 through 2.242 and LTS 2.222.1 through 2.235.4 bundles
Jetty 9.4.27 with the security vulnerability CVE-2019-17638. This
vulnerability may allow unauthenticated attackers to obtain HTTP
response headers that may include sensitive data intended for another
user.

Jenkins LTS 2.235.5 updates the bundled Jetty to 9.4.30.

Jetty was already previously updated to 9.4.30 in the 2.243 weekly
release.


Severity

    SECURITY-1983: Critical


Affected Versions

    Jenkins weekly up to and including 2.242
    Jenkins LTS up to and including 2.235.4


Fix

    Jenkins weekly should be updated to version 2.243
    Jenkins LTS should be updated to version 2.235.5

These versions include fixes to the vulnerabilities described above. All
prior versions are considered to be affected by these vulnerabilities
unless otherwise indicated.



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================