Bug 1620344 (CVE-2018-1999044) - CVE-2018-1999044 jenkins: Cron expression form validation could enter infinite loop, potentially resulting in denial of service
Summary: CVE-2018-1999044 jenkins: Cron expression form validation could enter infinit...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2018-1999044
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1620345
Blocks: 1620339
TreeView+ depends on / blocked
 
Reported: 2018-08-23 04:36 UTC by Sam Fowler
Modified: 2021-02-16 23:10 UTC (History)
13 users (show)

Fixed In Version: jenkins 2.121.3, jenkins 2.138
Clone Of:
Environment:
Last Closed: 2019-06-10 10:36:38 UTC
Embargoed:

Attachments (Terms of Use)

Description Sam Fowler 2018-08-23 04:36:34 UTC 
Jenkins before LTS version 2.121.3 and weekly version 2.138 are vulnerable to a denial of service.

The form validation for cron expressions (e.g. "Poll SCM", "Build periodically") could enter infinite loops when cron expressions only matching certain rare dates were entered, blocking request handling threads indefinitely.


External Reference:

https://jenkins.io/security/advisory/2018-08-15/#SECURITY-790
Comment 1 Sam Fowler 2018-08-23 04:36:52 UTC 
Created jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1620345]
Comment 2 Jason Shepherd 2018-10-30 05:18:08 UTC 
Upstream commit: https://github.com/jenkinsci/jenkins/commit/e5046911c57e60a1d6d8aca9b21bd9093b0f3763
Comment 3 Jason Shepherd 2018-10-31 02:04:09 UTC 
OpenShift Container Platform 3.x uses cgroups to limit the CPU allocated to pods by default. Any denial of service caused by this issue would be limited to the user's own Jenkins instance and won't affect other users on the same compute node.
Comment 4 Jason Shepherd 2018-10-31 02:05:18 UTC 
Statement:

Users of OpenShift Container Platform 3.x should upgrade to 3.11 to pick up a fix for this issue.
Note You need to log in before you can comment on or make changes to this bug.