Bug 1067827 (CVE-2014-2066)

Summary: CVE-2014-2066 jenkins: session fixation issue (SECURITY-75)
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bleanhar, ccoleman, dmcphers, jdetiber, jialiu, jrusnack, lmeyer, mmcgrath, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-28 22:52:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1033371, 1033372, 1033373    
Bug Blocks: 1065822, 1103334    

Description Murray McAllister 2014-02-21 06:53:13 UTC 
Jenkins Security Advisory 2014-02-14 notes:

"Jenkins was vulnerable to session fixation attack. If Jenkins is deployed in an environment that allows an attacker to override Jenkins cookies in victim's browser, this vulnerability can be exploited."

Upstream fix: https://github.com/jenkinsci/jenkins/commit/8ac74c350779921598f9d5edfed39dd35de8842a

MITRE notes at http://www.openwall.com/lists/oss-security/2014/02/21/2 "...Again, the unusual threat model might limit the practical relevance of this."

References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14
Comment 1 Kurt Seifried 2014-10-28 22:52:11 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Enterprise 2.1

Via RHBA-2014:1630 https://rhn.redhat.com/errata/RHBA-2014-1630.html