Security context
Medium· 5.3GHSA-w7jr-wqw6-54xc CVE-2020-2101CWE-203CWE-208Published May 24, 2022

Non-constant time comparison of inbound TCP agent connection secret

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

0 → fixed in 2.204.22.205 → fixed in 2.219

Details

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time comparison validating the connection secret when an inbound TCP agent connection is initiated. This could potentially allow attackers to use statistical methods to obtain the connection secret. Jenkins 2.219, LTS 2.204.2 now uses a constant-time comparison function for verifying connection secrets.

The fix

[SECURITY-1659]

Wadeck Follonier· Jan 14, 2020, 11:54 AM+110ba3650818
pom.xml+1 1
@@ -107,7 +107,7 @@ THE SOFTWARE.
<maven-war-plugin.version>3.0.0</maven-war-plugin.version> <!-- JENKINS-47127 bump when 3.2.0 is out. Cf. MWAR-407 -->
<!-- Bundled Remoting version -->
- <remoting.version>3.29</remoting.version>
+ <remoting.version>3.29.1</remoting.version>
<!-- Minimum Remoting version, which is tested for API compatibility -->
<remoting.minimum.supported.version>3.4</remoting.minimum.supported.version>

References