===================================================================                             CERT-Renater

                   Note d'Information No. 2021/VULN072
_____________________________________________________________________

DATE                : 10/02/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Jenkins versions prior to 2.334,
                                         LTS 2.319.3.

====================================================================https://www.jenkins.io/security/advisory/2022-02-09/
_____________________________________________________________________

Jenkins Security Advisory 2022-02-09
This advisory announces vulnerabilities in the following Jenkins
deliverables:

Jenkins (core)

Descriptions

DoS vulnerability in bundled XStream library
SECURITY-2602 / CVE-2021-43859 (upstream issue), CVE-2022-0538
(Jenkins-specific converters)

Jenkins 2.333 and earlier, LTS 2.319.2 and earlier is affected by the
XStream library’s vulnerability CVE-2021-43859. This library is used
by Jenkins to serialize and deserialize various XML files, like global
and job config.xml, build.xml, and numerous others.

This allows attackers able to submit crafted XML files to Jenkins to be
parsed as configuration, e.g. through the POST config.xml API, to cause
a denial of service (DoS).

Jenkins 2.334, LTS 2.319.3 updates the version of the XStream library used.

Additionally, custom collection converters defined in Jenkins have been
updated to apply the same DoS detection as those defined in XStream.


IMPORTANT
While the XStream dependency has been updated previously in the 2.333
weekly release, the Jenkins-specific changes in 2.334 are necessary for
Jenkins to be protected.


NOTE
Denial of service is detected via unexpectedly long-running
collection-related operations. In case of very complex configurations,
it is possible that there are false positive detections. Set the Java
system property hudson.util.XStream2.collectionUpdateLimit to a number
of seconds that a given XML file can take to load collections. Use -1
to disable this protection entirely.


Severity
SECURITY-2602: Medium


Affected Versions
Jenkins weekly up to and including 2.333
Jenkins LTS up to and including 2.319.2


Fix
Jenkins weekly should be updated to version 2.334
Jenkins LTS should be updated to version 2.319.3


These versions include fixes to the vulnerabilities described
above. All prior versions are considered to be affected by these
vulnerabilities unless otherwise


========================================================+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=======================================================