Page MenuHomePhabricator
Create Task
Maniphest T360759

Jenkins core security advisory - 2024-03-20
Closed, ResolvedPublicSecurity
Actions

Description

https://www.jenkins.io/security/advisory/2024-03-20/

HTTP/2 denial of service vulnerability in bundled Jetty
SECURITY-3379 / CVE-2024-22201

NOTE: This only affects instances that enable HTTP/2, typically using the --http2Port argument to java -jar jenkins.war or corresponding options in service configuration files. It is disabled by default in all native installers and the Docker images provided by the Jenkins project.

Details

Risk Rating
Low
Author Affiliation
WMF Technology Dept

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedSecurityhasharT360759 Jenkins core security advisory - 2024-03-20
 ResolvedjnucheT361084 Upgrade matrix-auth for Jenkins 2.440
 ResolvedDzahnT361083 ProbeDown (releases1003)

Event Timeline

hashar created this task.Mar 22 2024, 10:10 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 22 2024, 10:10 AM
hashar added projects: Release-Engineering-Team, Continuous-Integration-Infrastructure, Jenkins.Mar 22 2024, 10:11 AM

We currently run 2.426.3 and we do not pass --http2Port which implies HTTP/2 protocol is not enabled in Jetty.

hashar changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 22 2024, 10:13 AM
hashar changed the edit policy from "Custom Policy" to "All Users".
Stashbot added a comment.Mar 22 2024, 10:17 AM

Mentioned in SAL (#wikimedia-operations) [2024-03-22T10:17:36Z] <moritzm> uploaded jenkins 2.440.2 to apt.wikimedia.org T360759

sbassett edited projects, added Vuln-VulnComponent, SecTeam-Processed; removed Security-Team.Mar 22 2024, 1:53 PM
sbassett changed Risk Rating from N/A to Low.
hashar added a comment.Mar 27 2024, 8:43 AM
In T360759#9653467, @Stashbot wrote:

Mentioned in SAL (#wikimedia-operations) [2024-03-22T10:17:36Z] <moritzm> uploaded jenkins 2.440.2 to apt.wikimedia.org T360759

Due to the contint* servers, we also need the Debian package for Buster, it should be under buster-wikimedia thirdparty/ci.

Stashbot added a comment.Mar 27 2024, 8:48 AM

Mentioned in SAL (#wikimedia-operations) [2024-03-27T08:48:43Z] <hashar@deploy1002> Started deploy [releng/jenkins-deploy@b3ccf85] (releasing): Upgrade Jenkins from 2.426.3 to 2.440.2 on release hosts # T360759

Stashbot added a comment.Mar 27 2024, 8:54 AM

Mentioned in SAL (#wikimedia-operations) [2024-03-27T08:54:34Z] <hashar@deploy1002> Finished deploy [releng/jenkins-deploy@b3ccf85] (releasing): Upgrade Jenkins from 2.426.3 to 2.440.2 on release hosts # T360759 (duration: 05m 51s)

hashar added a comment.EditedMar 27 2024, 8:55 AM

The release Jenkins fails:

Mar 27 08:53:49 releases1003 jenkins[1678621]: [03/27/24 08:53:49] SSH Launch of releases1003.eqiad.wmnet on localhost completed in 4,597 ms
Mar 27 08:53:50 releases1003 jenkins[1678621]: SEVERE: [jenkins.InitReactorRunner$1 onTaskFailed] Failed ConfigurationAsCode.init
Mar 27 08:53:50 releases1003 jenkins[1678621]: SEVERE: [hudson.util.BootFailure publish] Failed to initialize Jenkins
Mar 27 08:53:54 releases1003 jenkins[1678621]: WARNING: [org.eclipse.jetty.server.handler.ContextHandler$Context log] Error while serving http://releases-jenkins.wikimedia.org/

There are some unhandled exception ID being logged but no trace. I have filed it as T361084

hashar added a subtask: T361084: Upgrade matrix-auth for Jenkins 2.440.Mar 27 2024, 9:12 AM
Jelto added a subtask: T361083: ProbeDown (releases1003).Mar 27 2024, 10:26 AM
Jelto mentioned this in T361083: ProbeDown (releases1003).
Jelto added a project: collaboration-services.Mar 27 2024, 10:31 AM
jnuche closed subtask T361084: Upgrade matrix-auth for Jenkins 2.440 as Resolved.Mar 27 2024, 3:55 PM
jnuche subscribed.

Release Jenkins instances have now been upgraded to 2.440.2. An update of some configuration and the matrix-auth plugin was also required: https://gitlab.wikimedia.org/repos/releng/jenkins-deploy/-/merge_requests/57

Dzahn mentioned this in T361057: SystemdUnitFailed - releases2003 - gitlab-runner1003.Mar 27 2024, 7:37 PM
Dzahn closed subtask T361083: ProbeDown (releases1003) as Resolved.Mar 27 2024, 11:35 PM
Stashbot added a comment.Tue, Apr 2, 2:09 PM

Mentioned in SAL (#wikimedia-operations) [2024-04-02T14:09:04Z] <moritzm> imported jenkins 2.440.2 to thirdparty/ci for buster-wikimedia T360759

hashar added a comment.Tue, Apr 2, 2:13 PM

I will look at upgrading the CI Jenkins tomorrow morning.

Stashbot added a comment.Wed, Apr 3, 12:42 PM

Mentioned in SAL (#wikimedia-operations) [2024-04-03T12:42:29Z] <hashar> Upgrading CI Jenkins # T360759

hashar closed this task as Resolved.Wed, Apr 3, 12:43 PM
hashar claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL