ASA-2018-00089 – Jenkins: Potential denial of service through cron expression form validation

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2018-00089

Identifier(s)

ASA-2018-00089, CVE-2018-1000864, SECURITY-1193

Title

Potential denial of service through cron expression form validation

Vendor(s)

Jenkins project

Product(s)

Jenkins (core)

Affected version(s)

Jenkins 2.153
Jenkins 2.138.3

Fixed version(s)

Jenkins 2.154
Jenkins LTS 2.138.4 or 2.150.1

Proof of concept

Unknown

Description

The form validation for cron expressions (e.g. “Poll SCM”, “Build periodically”) could enter infinite loops when cron expressions only matching certain rare dates were entered, blocking request handling threads indefinitely.

Technical details

Unknown

Credits

Denis Shvedchenko (Sphere Inc)

Reference(s)

Jenkins Security Advisory 2018-12-05
https://jenkins.io/security/advisory/2018-12-05/

CloudBees Security Advisory 2018-12-05
https://www.cloudbees.com/cloudbees-security-advisory-2018-12-05

[SECURITY-1193]
https://github.com/jenkinsci/jenkins/commit/73afa0ca786a87f05b5433e2e38f863826fcad17

CVE-2018-1000864
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000864

CVE-2018-1000864
https://nvd.nist.gov/vuln/detail/CVE-2018-1000864

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: March 6, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.