Bug 1620344 (CVE-2018-1999044)

Summary: CVE-2018-1999044 jenkins: Cron expression form validation could enter infinite loop, potentially resulting in denial of service
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahardin, aos-bugs, bleanhar, bparees, ccoleman, dedgar, eparis, java-sig-commits, jgoulding, jokerman, mchappel, mizdebsk, msrb
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jenkins 2.121.3, jenkins 2.138 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:36:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1620345    
Bug Blocks: 1620339    

Description Sam Fowler 2018-08-23 04:36:34 UTC
Jenkins before LTS version 2.121.3 and weekly version 2.138 are vulnerable to a denial of service.

The form validation for cron expressions (e.g. "Poll SCM", "Build periodically") could enter infinite loops when cron expressions only matching certain rare dates were entered, blocking request handling threads indefinitely.


External Reference:

https://jenkins.io/security/advisory/2018-08-15/#SECURITY-790

Comment 1 Sam Fowler 2018-08-23 04:36:52 UTC
Created jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1620345]

Comment 3 Jason Shepherd 2018-10-31 02:04:09 UTC
OpenShift Container Platform 3.x uses cgroups to limit the CPU allocated to pods by default. Any denial of service caused by this issue would be limited to the user's own Jenkins instance and won't affect other users on the same compute node.

Comment 4 Jason Shepherd 2018-10-31 02:05:18 UTC
Statement:

Users of OpenShift Container Platform 3.x should upgrade to 3.11 to pick up a fix for this issue.