Date: Thu, 28 Feb 2013 22:42:17 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: kk@...suke.org Subject: Re: Jenkins CVE request for Jenkins Security Advisory 2013-02-16 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/20/2013 11:35 PM, Kurt Seifried wrote: > Ok no reply from anyone on this so I'm moving ahead. > > On 02/17/2013 07:56 PM, Kurt Seifried wrote: >> I'm trying to sort out this security advisory so CVE #'s can be >> assigned to it, can you (kk@) please comment on this? thanks. > >> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16 Also >> David Jorm (djorm@...hat.com) reports the following issues were fixed in this release: ============================================= * Jenkins included spring 2.5.0. This is vulnerable to CVE-2010-1622 and CVE-2011-2730, flaws which can allow for arbitrary remote code execution: http://support.springsource.com/security/cve-2010-1622 http://support.springsource.com/security/cve-2011-2730 The way that Jenkins uses spring does not seem to expose an exploitable use case, but nonetheless it is dangerous to distribute a component with known serious vulnerabilities. I suggest upgrading to spring 2.5.6.SEC03 to mitigate these flaws. * Jenkins included: jenkins.war (unzip) - -> WEB-INF/plugin/maven-plugin.hpi (unzip) - -> WEB-INF/lib/xercesImpl-2.9.1.jar This copy of xerces is vulnerable to CVE-2009-2625. I have tested with a reproducer and confirmed it is vulnerable. The flaw relates to how xerces processes the SYSTEM identifier in DTDs. A remote attacker could provide a specially-crafted XML file, which once parsed by an application using xerces, would lead to a denial of service (application hang due to excessive CPU use). This would be exploitable on jenkins so long as an attacker can somehow provide an XML file that jenkins will process using the vulnerable copy of xerces. It seems to me that this would be possible, but I could be wrong. Either way, upgrading to xerces >= 2.10.1 will resolve this flaw: http://xerces.apache.org/xerces2-j/releases.html ============================================= So three more reasons to update =) Also does anyone know if kk@...suke.org is the correct email for Kohsuke Kawaguchi or if there is a better one? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRMD+5AAoJEBYNRVNeJnmTnJQP/jI7/2WdeRVVDhvpo8m75oTr 7NQIDzzjtes45P+kBoqzjzNWGYtLID3K+8PY1VuKekm8G+41weY58M15+GYEqD8i uwiDlqSFvwtY60dZqWU4cXp7zRFDMyjqLnSTlmMyADAzHdfdQkPf40ZodRsvG8Ju BGZYdsAH4C+N34mCqeW5JtugTWwPgwK0hHKwG52L53MyLbq2fquDa/d5KqtydWM/ Rd92XoNAg2P1Zb8laafBPTrdxtYg5ndFqbApYmKeo0i6nsT+I0l3AauqGKqn5TSW 3z3t6FBorqJc5et1N1cWVNve4FGbaI9DPwolHVuSdK45LdXVHmRr/Kf48bJMPEFC RYacJPtwfSWOi4OebbGoayqediVE3BejWS/4AJlDJDdtWJXh7o6JD1WkA31cig+z vJaTGfmOyPklkGYQ7jGAUKvs5SgWr+Trk00aQS9CG9WKA4+XfVnokx8flzShjmR/ rzi+4Hzkj9+OVBD8FzVrN3PVgYSqacHlNJzxVBLS0GvSQA1hA2ckIRLbs4cXW94F FL4U4c1bdwU/hQwq3vDOJG4bBNnutC9dYPUrlylfazhYFbAxuq5cis5COL4Gep3j GIKMWyYcLEgxMUNQLLbM1z7O7mPMzFzY22QJZRS2D58A/o/ad62yPJL/KeOcmGu+ n/L4ezNf6vMbq7sk6dhq =oomf -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.