CloudBees Security Advisory 2012-01-12

Vulnerability in Jenkins Core

This vulnerability, commonly known as "the Hash DoS attack" , enables an attacker to cause a considerable CPU load on Jenkins just by sending a small data, thereby denying service to legitimate users.

This vulnerability affects Jenkins up to and including 1.446, LTS releases up to and including 1.424.1. This is a vulnerability in the built-in servlet container (named Winstone), and therefore the only affected users are those who are running Jenkins via java -jar jenkins.war (which includes users of all the native packages, such as Windows, Debian, Solaris, RPM, OpenSUSE, Gentoo, and Mac packages.)

Those who are deploying Jenkins to other servlet containers are encouraged to consult the security advisories of your servlet container for the updates. Because of the nature of the vulnerability, every servlet container is affected.

Severity

CloudBees rates this vulnerability as medium . This vulnerability does not allow an attacker to gain access to sensitive information, but it is widely publicized and an attack code is easy to obtain.

Fix

  • Main line users should upgrade to Jenkins 1.447.

  • LTS users should upgrade to the upcoming 1.424.2.

  • Users of Jenkins Enterprise by CloudBees 1.424.x should upgrade to 1.424.2.1 .

  • Users of Jenkins Enterprise by CloudBees 1.400.x should upgrade to 1.400.0.11 .