https://www.jenkins.io/security/advisory/2024-03-20/
HTTP/2 denial of service vulnerability in bundled Jetty
SECURITY-3379 / CVE-2024-22201
https://www.jenkins.io/security/advisory/2024-03-20/
HTTP/2 denial of service vulnerability in bundled Jetty
SECURITY-3379 / CVE-2024-22201
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | Security | hashar | T360759 Jenkins core security advisory - 2024-03-20 | ||
Resolved | jnuche | T361084 Upgrade matrix-auth for Jenkins 2.440 | |||
Resolved | Dzahn | T361083 ProbeDown (releases1003) |
We currently run 2.426.3 and we do not pass --http2Port which implies HTTP/2 protocol is not enabled in Jetty.
Mentioned in SAL (#wikimedia-operations) [2024-03-22T10:17:36Z] <moritzm> uploaded jenkins 2.440.2 to apt.wikimedia.org T360759
Due to the contint* servers, we also need the Debian package for Buster, it should be under buster-wikimedia thirdparty/ci.
Mentioned in SAL (#wikimedia-operations) [2024-03-27T08:48:43Z] <hashar@deploy1002> Started deploy [releng/jenkins-deploy@b3ccf85] (releasing): Upgrade Jenkins from 2.426.3 to 2.440.2 on release hosts # T360759
Mentioned in SAL (#wikimedia-operations) [2024-03-27T08:54:34Z] <hashar@deploy1002> Finished deploy [releng/jenkins-deploy@b3ccf85] (releasing): Upgrade Jenkins from 2.426.3 to 2.440.2 on release hosts # T360759 (duration: 05m 51s)
The release Jenkins fails:
Mar 27 08:53:49 releases1003 jenkins[1678621]: [03/27/24 08:53:49] SSH Launch of releases1003.eqiad.wmnet on localhost completed in 4,597 ms Mar 27 08:53:50 releases1003 jenkins[1678621]: SEVERE: [jenkins.InitReactorRunner$1 onTaskFailed] Failed ConfigurationAsCode.init Mar 27 08:53:50 releases1003 jenkins[1678621]: SEVERE: [hudson.util.BootFailure publish] Failed to initialize Jenkins Mar 27 08:53:54 releases1003 jenkins[1678621]: WARNING: [org.eclipse.jetty.server.handler.ContextHandler$Context log] Error while serving http://releases-jenkins.wikimedia.org/
There are some unhandled exception ID being logged but no trace. I have filed it as T361084
Release Jenkins instances have now been upgraded to 2.440.2. An update of some configuration and the matrix-auth plugin was also required: https://gitlab.wikimedia.org/repos/releng/jenkins-deploy/-/merge_requests/57
Mentioned in SAL (#wikimedia-operations) [2024-04-02T14:09:04Z] <moritzm> imported jenkins 2.440.2 to thirdparty/ci for buster-wikimedia T360759
Mentioned in SAL (#wikimedia-operations) [2024-04-03T12:42:29Z] <hashar> Upgrading CI Jenkins # T360759