-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2825
Jenkins LTS 2.235.5 patches Jetty vuln, was already patched
in Jenkins 2.243
18 August 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jenkins
Publisher: Jenkins
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-17638
Reference: ESB-2020.2553
Original Bulletin:
https://www.jenkins.io/security/advisory/2020-08-17/
- --------------------------BEGIN INCLUDED TEXT--------------------
Jenkins Security Advisory 2020-08-17
This advisory announces vulnerabilities in the following Jenkins deliverables:
* Jenkins (core)
Descriptions
Buffer corruption in bundled Jetty
SECURITY-1983 / CVE-2019-17638
Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and
servlet server when started using java -jar jenkins.war. This is how Jenkins is
run when using any of the installers or packages, but not when run using
servlet containers such as Tomcat.
Jenkins 2.224 through 2.242 and LTS 2.222.1 through 2.235.4 bundles Jetty
9.4.27 with the security vulnerability CVE-2019-17638. This vulnerability may
allow unauthenticated attackers to obtain HTTP response headers that may
include sensitive data intended for another user.
Jenkins LTS 2.235.5 updates the bundled Jetty to 9.4.30.
Jetty was already previously updated to 9.4.30 in the 2.243 weekly release.
Severity
* SECURITY-1983: Critical
Affected Versions
* Jenkins weekly up to and including 2.242
* Jenkins LTS up to and including 2.235.4
Fix
* Jenkins weekly should be updated to version 2.243
* Jenkins LTS should be updated to version 2.235.5
These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXzsqr+NLKJtyKPYoAQi3LxAAqmtmQTI2+68JB8pyOCz+tLbA8SDNxpTF
Y5Yb0lFbSrT3QIK/E8fT4Gv2lXwF+0ORIJ5TSyxdSGUyZ+IuS0BpZOz+Nqp+T2Yn
wopDqMASYU/gQJ45ZmvyiIZA9dMLp2VD5d+BYsMnspKfS1LG9lt0bw2iW67m6trd
e4UfyHn0/DxlD5m/A8rpcduah//MVdInMenVtiOzW+zsxzegnwwo4KJAoFaPls5T
K/vGhpSKWp2SVVhnBpWFaJCpJqAgkNxkMQ3EkKIfL9ByrkkNeiEaLEOQZtu9SW1+
f8sbUw/F+pfjhSuniz1vEXT1cabHp7HK0oeLvimJoi7fCKBrHtsPe/76S7C4hWmf
hBe3rFp002a1z69zXcEXYDcm3Pg13S85P1TPkGM8uniFE8e5WZB3PdH1ikhvFPY7
OqreKEwMwTeOWLX16BmNvGxYGRRm4cf9ByRsCr3mQD1m91mIsDA9IKF1gfU7mTU9
DvfUJA5pSUKoZvgi0MHOXcamDLGxsHtQJYEtQrv1iWPSGXdkzyTxW3Nr5g9REFGE
HfLastM+pfz8i2MTPyNKBMDn//IgoHytErW+YQ4IEtZ5jeh4EvrlwrxEAw1mfAtx
QE9KQtPnxoLMb+mawdSyMN9tNCmx7KMv9zHNM0AWXdjW1ZzAd4pKfbQWp15KjLL4
Esfp/Cdi3ew=
=QTaN
-----END PGP SIGNATURE-----
https://www.malwaredevil.com/2020/08/18/esb-2020-2825-winunix-linux-jenkins-access-confidential-data-remote-unauthenticated/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-2825-winunix-linux-jenkins-access-confidential-data-remote-unauthenticated
No comments:
Post a Comment