Non-constant time comparison of inbound TCP agent connection secret
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
0 → fixed in 2.204.22.205 → fixed in 2.219
Details
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time comparison validating the connection secret when an inbound TCP agent connection is initiated. This could potentially allow attackers to use statistical methods to obtain the connection secret. Jenkins 2.219, LTS 2.204.2 now uses a constant-time comparison function for verifying connection secrets.
The fix
[SECURITY-1659]
pom.xml+1 −1
@@ -107,7 +107,7 @@ THE SOFTWARE.<maven-war-plugin.version>3.0.0</maven-war-plugin.version> <!-- JENKINS-47127 bump when 3.2.0 is out. Cf. MWAR-407 --><!-- Bundled Remoting version -->-<remoting.version>3.29</remoting.version>+<remoting.version>3.29.1</remoting.version><!-- Minimum Remoting version, which is tested for API compatibility --><remoting.minimum.supported.version>3.4</remoting.minimum.supported.version>
References
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-2101
- WEBhttps://github.com/jenkinsci/jenkins/commit/0ba36508187ff771bba87feaf03057496775064c
- WEBhttps://access.redhat.com/errata/RHBA-2020:0402
- WEBhttps://access.redhat.com/errata/RHBA-2020:0675
- WEBhttps://access.redhat.com/errata/RHSA-2020:0681
- WEBhttps://access.redhat.com/errata/RHSA-2020:0683
- PACKAGEhttps://github.com/jenkinsci/jenkins
- WEBhttps://jenkins.io/security/advisory/2020-01-29/#SECURITY-1659
- WEBhttp://www.openwall.com/lists/oss-security/2020/01/29/1