Protect yourself against future threats.
=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2024.1717 Jenkins Security Advisory 2024-03-20 21 March 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Jenkins (core) Publisher: jenkins Operating System: UNIX Windows Resolution: Patch/Upgrade CVE Names: CVE-2024-22201 Original Bulletin: https://www.jenkins.io/security/advisory/2024-03-20/ Comment: CVSS (Max): 7.5 CVE-2024-22201 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Jenkins Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Jenkins Security Advisory 2024-03-20 This advisory announces vulnerabilities in the following Jenkins deliverables: o Jenkins (core) Descriptions HTTP/2 denial of service vulnerability in bundled Jetty SECURITY-3379 / CVE-2024-22201 Severity (CVSS): High Description: Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat. Jenkins 2.443 and earlier, LTS 2.440.1 and earlier bundles versions of Jetty affected by the security vulnerability CVE-2024-22201. This vulnerability allows unauthenticated attackers to cause a denial of service. This only affects instances that enable HTTP/2, typically using the --http2Port argument to java -jar jenkins.war or corresponding options in service configuration files. It is disabled by default in all native installers and the Docker images provided by the Jenkins project. Jenkins 2.444, LTS 2.440.2 updates the bundled Jetty to version 10.0.20, which is unaffected by these issues. Administrators unable to update to these releases of Jenkins (or newer) are advised to disable HTTP/2. Severity o SECURITY-3379: High Affected Versions o Jenkins weekly up to and including 2.443 o Jenkins LTS up to and including 2.440.1 Fix o Jenkins weekly should be updated to version 2.444 o Jenkins LTS should be updated to version 2.440.2 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. ===========================================================================