=====================================================================

                             CERT-Renater

                   Note d'Information No. 2023/VULN416

_____________________________________________________________________

DATE                : 19/10/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Jenkins weekly versions prior to
                                          2.428,
                       Jenkins LTS versions prior to 2.414.2.

=====================================================================
https://www.jenkins.io/security/advisory/2023-10-18/
_____________________________________________________________________


Jenkins Security Advisory 2023-10-18

This advisory announces vulnerabilities in the following Jenkins
deliverables:

     Jenkins (core)


Descriptions

HTTP/2 denial of service vulnerabilities in bundled Jetty
SECURITY-3291 / CVE-2023-36478, CVE-2023-44487
Severity (CVSS): High
Description:

Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as
HTTP and servlet server when started using java -jar jenkins.war.
This is how Jenkins is run when using any of the installers or
packages, but not when run using servlet containers such as Tomcat.

Jenkins 2.427 and earlier, LTS 2.414.2 and earlier bundles versions
of Jetty affected by the security vulnerabilities CVE-2023-36478
and CVE-2023-44487. These vulnerabilities allow unauthenticated
attackers to cause a denial of service.

	This only affects instances that enable HTTP/2, typically
using the --http2Port argument to java -jar jenkins.war or
corresponding options in service configuration files. It is
disabled by default in all native installers and the Docker
images provided by the Jenkins project.

Jenkins 2.428, LTS 2.414.3 updates the bundled Jetty to version
10.0.17, which is unaffected by these issues.

Administrators unable to update to these releases of Jenkins
(or newer) are advised to disable HTTP/2.


Severity

     SECURITY-3291: High


Affected Versions

     Jenkins weekly up to and including 2.427
     Jenkins LTS up to and including 2.414.2


Fix

     Jenkins weekly should be updated to version 2.428
     Jenkins LTS should be updated to version 2.414.3

These versions include fixes to the vulnerabilities described above.
All prior versions are considered to be affected by these
vulnerabilities unless otherwise indicated.



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================