A flaw was found in the way Jenkins uses the Stapler web framework for HTTP request handling. Stapler’s basic premise is that it uses reflective access to code elements matching its naming conventions. As these naming conventions closely match common code patterns in Java, accessing crafted URLs could invoke methods never intended to be invoked this way.
Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1656866]
From upstream advisory:
As of publication of this advisory, we are aware of the following potential attacks in the latest Jenkins releases that do not yet contain this fix:
Unauthenticated users can invalidate all sessions
Users with Overall/Read permission could create new user objects in memory.
Users with Overall/Read access could manually kick off otherwise periodically executed runs of implementations of AsyncPeriodicWork.
Given the vast potential attack surface, we fully expect other attacks, that we are not currently aware of, to be possible on Jenkins releases that do not have this fix applied. This is reflected in the high score we assigned to this issue, rather than limiting the score to the impact through known issues.
This vulnerability is only exploitable by a user with developer permissions. Therefore this vulnerability is rated Important for OpenShift Container Platform 3.x.
PR https://github.com/openshift/jenkins/pull/749 created for 3.11
The PR I mentioned has merged, updating our centos image.
Job https://buildvm.openshift.eng.bos.redhat.com:8443/job/devex/job/devex%252Fjenkins-bump-version/27/ updated
the RPM used in the 3.11 z stream to point to 2.138.4