A critical vulnerability has been discovered in Jenkins, specifically impacting the NS-ND Integration Performance Publisher Plugin version 4.8..146 and earlier. This post will detail the specifics of the vulnerability, CVE-2022-38666, and walk you through the exploitation process, including the affected code snippet and references to original sources.

Vulnerability Description

The vulnerability arises from the plugin unconditionally disabling SSL/TLS certificate and hostname validation for several features. This can lead to Man-in-the-Middle (MITM) attacks, potentially allowing threat actors to intercept sensitive data or compromise the Jenkins server.

Version: 4.8..146 and earlier

CVE Number: CVE-2022-38666
CVSS v3.1 Score: 9.1 (Critical)

Code Snippet Vulnerability

The following code snippet from the affected plugin showcases the problematic disabling of SSL/TLS certificate validation and hostname verification:

HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
SSLContext sslContext = SSLContext.getInstance("SSL");
TrustManager[] trustAllCerts = new TrustManager[] {new NoCheckTrustManager()};
sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
connection.setSSLSocketFactory(sslContext.getSocketFactory());
HostnameVerifier noCheckVerifier = new NoCheckHostnameVerifier();
connection.setHostnameVerifier(noCheckVerifier);

The implementation of TrustManager, "NoCheckTrustManager", allows all certificates without validation. The implementation of HostnameVerifier, "NoCheckHostnameVerifier", permits any hostname regardless of the certificate's subject.

Exploit Details

An attacker can take advantage of the vulnerability by executing a Man-in-the-Middle (MITM) attack. By positioning themselves between the Jenkins server and any outbound requests made by the plugin, the attacker interferes and captures sensitive data or modifies the data being transmitted between the systems.

Mitigation and Solution

To remediate the vulnerability, users of the NS-ND Integration Performance Publisher Plugin must upgrade to version 4.8..147 or later. This updated version properly enables SSL/TLS certificate and hostname validation utilizing the following code snippet:

HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
connection.setSSLSocketFactory(SSLContext.getDefault().getSocketFactory());
connection.setHostnameVerifier(HostnameVerifier.getDefault());

References

- Official Jenkins Security Advisory: https://www.jenkins.io/security/advisory/2022-02-16/
- CVE List (CVE-2022-38666): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38666
- NVD Page: https://nvd.nist.gov/vuln/detail/CVE-2022-38666

Conclusion

CVE-2022-38666 presents a serious threat to users of the Jenkins NS-ND Integration Performance Publisher Plugin. It is crucial to upgrade to version 4.8..147 or later to mitigate the risk of potential MITM attacks. Those responsible for Jenkins server maintenance and implementing security protocols should prioritize this fix and continually monitor updates from the Jenkins project.

Timeline

Published on: 11/15/2022 20:15:00 UTC
Last modified on: 11/18/2022 21:28:00 UTC