https://bugzilla.redhat.com/show_bug.cgi?id=1797084
Bug ID: 1797084 Summary: CVE-2020-2101 jenkins: Non-constant time comparison of inbound TCP agent connection secret Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: psampaio@redhat.com CC: abenaiss@redhat.com, adam.kaplan@redhat.com, aos-bugs@redhat.com, bmontgom@redhat.com, eparis@redhat.com, extras-orphan@fedoraproject.org, java-sig-commits@lists.fedoraproject.org, jburrell@redhat.com, jokerman@redhat.com, mizdebsk@redhat.com, msrb@redhat.com, nstielau@redhat.com, pbhattac@redhat.com, sponnaga@redhat.com, vbobade@redhat.com, wzheng@redhat.com Target Milestone: --- Classification: Other
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially allow an attacker to use a timing attack to obtain this secret.
References:
https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1659 http://www.openwall.com/lists/oss-security/2020/01/29/1