https://bugzilla.redhat.com/show_bug.cgi?id=1797080
Bug ID: 1797080 Summary: CVE-2020-2099 jenkins: Inbound TCP Agent Protocol/3 authentication bypass Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: psampaio@redhat.com CC: abenaiss@redhat.com, adam.kaplan@redhat.com, aos-bugs@redhat.com, bmontgom@redhat.com, eparis@redhat.com, extras-orphan@fedoraproject.org, java-sig-commits@lists.fedoraproject.org, jburrell@redhat.com, jokerman@redhat.com, mizdebsk@redhat.com, msrb@redhat.com, nstielau@redhat.com, pbhattac@redhat.com, sponnaga@redhat.com, vbobade@redhat.com, wzheng@redhat.com Target Milestone: --- Classification: Other
Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jenkins, impersonating those agents.
References:
https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1682 http://www.openwall.com/lists/oss-security/2020/01/29/1
https://bugzilla.redhat.com/show_bug.cgi?id=1797080
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1797081
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1797081 [Bug 1797081] CVE-2020-2099 jenkins: Inbound TCP Agent Protocol/3 authentication bypass [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1797080
--- Comment #1 from Pedro Sampaio psampaio@redhat.com --- Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1797081]
https://bugzilla.redhat.com/show_bug.cgi?id=1797080
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1797089
https://bugzilla.redhat.com/show_bug.cgi?id=1797080
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|medium |high Severity|medium |high
https://bugzilla.redhat.com/show_bug.cgi?id=1797080
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1797143
https://bugzilla.redhat.com/show_bug.cgi?id=1797080
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1797144
https://bugzilla.redhat.com/show_bug.cgi?id=1797080
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1797146
https://bugzilla.redhat.com/show_bug.cgi?id=1797080
--- Comment #5 from Sam Fowler sfowler@redhat.com --- "Any security advisory related updates to Jenkins core or the plugins we include in the OpenShift Jenkins master image will only occur in the v3.11 and v4.x branches of this repository."
https://github.com/openshift/jenkins/blob/master/README.md#jenkins-security-...
https://bugzilla.redhat.com/show_bug.cgi?id=1797080
--- Comment #6 from Akram Ben Aissi abenaiss@redhat.com --- This bug has been fixed by https://errata.devel.redhat.com/advisory/50532 that brought Jenkins 2.204.2
https://bugzilla.redhat.com/show_bug.cgi?id=1797080
Akram Ben Aissi abenaiss@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1813070
https://bugzilla.redhat.com/show_bug.cgi?id=1797080
--- Doc Text *updated* by Eric Christensen sparks@redhat.com --- A flaw was found in Jenkins. Encryption key parameters are improperly reused in the Inbound TCP Agent Protocol/3 allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents. The highest threat from this vulnerability is to data confidentiality.
https://bugzilla.redhat.com/show_bug.cgi?id=1797080
Vibhav Bobade vbobade@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG Last Closed| |2020-08-26 16:38:11
--- Comment #7 from Vibhav Bobade vbobade@redhat.com --- Closing as bug is already fixed
https://bugzilla.redhat.com/show_bug.cgi?id=1797080
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |NEW CC| |sfowler@redhat.com Resolution|NOTABUG |--- Keywords| |Reopened
https://bugzilla.redhat.com/show_bug.cgi?id=1797080
Vikas Laad vlaad@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1873172
https://bugzilla.redhat.com/show_bug.cgi?id=1797080 Bug 1797080 depends on bug 1797081, which changed state.
Bug 1797081 Summary: CVE-2020-2099 jenkins: Inbound TCP Agent Protocol/3 authentication bypass [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1797081
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
java-sig-commits@lists.fedoraproject.org