Ubuntu
jenkins package

Hash DoS vulnerability in Jenkins core

Bug #914628 reported by James Page
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
jenkins (Ubuntu)
Fix Released
Undecided
Unassigned
Oneiric
Fix Released
Medium
Steve Beattie
Precise
Fix Released
Undecided
Unassigned
jenkins-executable-war (Ubuntu)
Fix Released
Undecided
Unassigned
Oneiric
Fix Released
Medium
Steve Beattie
Precise
Fix Released
Undecided
Unassigned
jenkins-winstone (Ubuntu)
Fix Released
Undecided
Unassigned
Oneiric
Fix Released
Medium
Steve Beattie
Precise
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
<fill me in with explanation of severity and frequency of bug on users and justification for backporting the fix to the stable release>

[Development Fix]
<fill me in with an explanation of how the bug has been addressed in the development branch, including the relevant version numbers of packages modified in order to implement the fix. >

[Stable Fix]
<fill me in by pointing out a minimal patch applicable to the stable version of the package.>

[Text Case]
<fill me in with detailed *instructions* on how to reproduce the bug. This will be used by people later on to verify the updated package fixes the problem.>
1.
2.
3.
Broken Behavior:
Fixed Behavior:

[Regression Potential]
<fill me in with a discussion of likelihood and potential severity of regressions and how users could get inadvertently affected.

[Original Report]
Jenkins running standalone (as it does in the Ubuntu packaging) is vulnerable to the Hash DoS attack as detailed here:

http://www.ocert.org/advisories/ocert-2011-003.html

Full details of the Jenkins vulnerability:

http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-01-10.cb

I believe this will require updates to jenkins-executable-war (1.25) and jenkins-winstone (0.9.10-jenkins-31).

See original description
Revision history for this message
James Page (james-page) wrote :

Commit for jenkins-winstone: https://github.com/jenkinsci/winstone/commit/a21916c1bc796b970d1b9e6c59f76bc603e698d0
Commit for jenkins-executable-war: https://github.com/jenkinsci/extras-executable-war/commit/39de854731fcf204da6235b200a9ca2b309e6a6c

description: updated
Revision history for this message
James Page (james-page) wrote :

I've just requested sponsorship to Debian unstable of the required new upstream releases on jenkins-executable-war and jenkins-winstone.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package jenkins-executable-war - 1.25-0ubuntu1

---------------
jenkins-executable-war (1.25-0ubuntu1) precise; urgency=low

  * New upstream release:
    - http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-01-10.cb
      Fix Hash DoS vulnerability by limiting the maximum number of
      parameters to 1000 (LP: #914628).
 -- James Page <email address hidden> Thu, 12 Jan 2012 10:28:37 +0100

Changed in jenkins-executable-war (Ubuntu Precise):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package jenkins-winstone - 0.9.10-jenkins-31+dfsg-0ubuntu1

---------------
jenkins-winstone (0.9.10-jenkins-31+dfsg-0ubuntu1) precise; urgency=low

  * New upstream release:
    - http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-01-10.cb
      Fix Hash DoS vulnerability with HTTP parameters by restricting the
      number of parameters in any HTTP request.
      (LP: #914628)
 -- James Page <email address hidden> Fri, 13 Jan 2012 12:55:51 +0100

Changed in jenkins-winstone (Ubuntu Precise):
status: New → Fix Released
Revision history for this message
James Page (james-page) wrote :

Latest sync from Debian of Jenkins resolved this issue in precise.

Changed in jenkins (Ubuntu Precise):
status: New → Fix Released
James Page (james-page)
Changed in jenkins (Ubuntu Oneiric):
assignee: nobody → James Page (james-page)
importance: Undecided → Medium
status: New → In Progress
Changed in jenkins-executable-war (Ubuntu Oneiric):
status: New → In Progress
Changed in jenkins-winstone (Ubuntu Oneiric):
status: New → In Progress
assignee: nobody → James Page (james-page)
Changed in jenkins-executable-war (Ubuntu Oneiric):
assignee: nobody → James Page (james-page)
visibility: private → public
Changed in jenkins-executable-war (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in jenkins-winstone (Ubuntu Oneiric):
importance: Undecided → Medium
Revision history for this message
James Page (james-page) wrote :

Attached debdiff for jenkins-winstone for oneiric-security

Revision history for this message
James Page (james-page) wrote :

Attached patch for jenkins-executable-war for oneiric

Revision history for this message
James Page (james-page) wrote :

Attached debdiff for rebuild of jenkins against specific minimum versions of executable-war and winstone.

Revision history for this message
James Page (james-page) wrote :

I've rebuilt and tested on my local oneiric server install to ensure that this fix has no impact on existing functionality - all looked OK to me.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Hi James,

The debdiffs look fine to me from a packaging perspective. I'm a little dubious of the upstream fix, which is just setting a limit on the size of the hashtables and hashmaps and assumes that a worst case walk of that size won't negatively impact the operation of the system. In any event, despite my reservations, I'll push them to the security pocket soon.

Thanks!

Changed in jenkins (Ubuntu Oneiric):
assignee: James Page (james-page) → Steve Beattie (sbeattie)
Changed in jenkins-executable-war (Ubuntu Oneiric):
assignee: James Page (james-page) → Steve Beattie (sbeattie)
Changed in jenkins-winstone (Ubuntu Oneiric):
assignee: James Page (james-page) → Steve Beattie (sbeattie)
Bryce Harrington (bryce)
description: updated
Revision history for this message
Kohsuke Kawaguchi (kk-kohsuke) wrote :

Hi, Steve,

Upstream maintainer here. The fix is in line with what's done in Tomcat and other application servers that are affected by the same vulnerability, so I believe this is an accepted practice.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package jenkins - 1.409.1-0ubuntu4.2

---------------
jenkins (1.409.1-0ubuntu4.2) oneiric-security; urgency=low

  * SECURITY UPDATE: Hash DoS vulnerability in parameter
    handling (LP: #914628):
    - Rebuild to pickup new versions of jenkins-executable-war and
      libjenkins-winstone-java with require parameter handling fixes.
    - http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-01-10.cb
 -- James Page <email address hidden> Fri, 27 Jan 2012 16:11:59 +0000

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package jenkins-executable-war - 1.22-1ubuntu0.1

---------------
jenkins-executable-war (1.22-1ubuntu0.1) oneiric-security; urgency=low

  * SECURITY UPDATE: Hash DoS vulnerability in parameter
    handling (LP: #914628):
    - debian/patches/hash-dos-fix.patch: Cherry picked fix from upstream
      to prevent this vulnerability.
    - http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-01-10.cb
 -- James Page <email address hidden> Fri, 27 Jan 2012 16:02:35 +0000

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package jenkins-winstone - 0.9.10-jenkins-25+dfsg-0ubuntu2.2

---------------
jenkins-winstone (0.9.10-jenkins-25+dfsg-0ubuntu2.2) oneiric-security; urgency=low

  * SECURITY UPDATE: Hash DoS vulnerability in parameter
    handling (LP: #914628):
    - debian/patches/hash-dos-fix.patch: Cherry picked fix from upstream
      to prevent this vulnerability.
    - http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-01-10.cb
 -- James Page <email address hidden> Fri, 27 Jan 2012 16:01:06 +0000

Changed in jenkins (Ubuntu Oneiric):
status: In Progress → Fix Released
Changed in jenkins-executable-war (Ubuntu Oneiric):
status: In Progress → Fix Released
Changed in jenkins-winstone (Ubuntu Oneiric):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.