Jenkins Security Advisory 2014-10-15

This advisory discusses the impact of so-called Poodle vulnerability (CVE-2014-3566) in Jenkins core.

Description

This vulnerability allows a man-in-the-middle attacker to decrypt SSLv3 communication. See this post for the technical detail of the attack. This involves an attacker who sits in the middle of a Jenkins controller and a victim, and a victim who opens a web page controller by an attacker. By repeatedly making the victim’s browser to issue an HTTPS request to the Jenkins controller, the attacker can decrypt sensitive information such as session cookie one byte at a time.

Severity

CVE-2014-3566 is rated high. An man-in-the-middle attacker can relatively easily trick a victim into opening an unencrypted web page controlled by an attacker, and a successful exploit results in a compromise of the Jenkins controller and/or loss of data.

Affected Versions

All versions of Jenkins released to date is vulnerable, but only if all the following conditions are met:

  • You are using the built-in Winstone container by running Jenkins like java -jar jenkins.war …​ (this includes everyone who installed Jenkins via a package manager such as deb, rpm, msi, and so on.)

  • You enable the HTTPS protocol by adding the --httpsPort option

Fix

  • Jenkins 1.585, which is expected to ship in Oct 19th, will contain this fix.

  • Jenkins 1.580.1, which is expected to ship in Oct 29th, will contain this fix.

This issue and its fix is currently tracked as JENKINS-25169.

While we are working on releasing the new versions that incorporate the fix, you can change the way you run Jenkins today to get the fix on the version of Jenkins you are currently using:

  • Download winstone.jar v2.8, which contains the fix

  • Where you run java -jar path/to/jenkins.war …​, change this to java -jar winstone.jar --warfile=path/to/jenkins.war …​

This version of Winstone fixes the vulnerability by disabling SSLv3 entirely.