CVE-2022-43422 Compuware Topaz Utilities Plugin 1.0.8 and earlier has an agent/controller message that doesn't limit where it can be executed, which allows attackers to obtain values of Java system properties.
Further, this issue can be triggered by sending an improper message from a plugin that has access to the Jenkins HTTP API. For example, an attacker could get access to the Jenkins configuration through a vulnerability in Jenkins Core and then launch an attack through the Jenkins HTTP API. IMPACT On a Jenkins system that uses Compuware Topaz Utilities Plugin 1.0.8 and earlier, attackers will be able to obtain the values of Java system properties.
References: CVE-2022-43422
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05136375
https://twitter.com/HPE_Security
Solution
Upgrade to Compuware Topaz Utilities Plugin 1.1.0 or later, which no longer allow attackers to obtain the values of Java system properties.
In this blog post, the author discusses how a specific plugin has been able to be exploited by sending an improper message to a Jenkins application that takes advantage of how the plugin is interacting with Jenkins.
Vulnerability Details
The vulnerability affects the Compuware Topaz Utilities Plugin 1.0.8 and earlier, which is a Jenkins plugin bundled with Jenkins. The plugin provides access to the Jenkins HTTP API and allows users to run commands inside their build jobs.
Resolvers and Browsers
This vulnerability can allow an attacker to obtain the values of Java system properties. These properties include the java.security.policy and java.security.providerClassName which are used in determining if a user is allowed to access a policy or file with restricted access, respectively. On systems that use Compuware Topaz Utilities Plugin 1.0.9 and later, this issue can be triggered by sending an improper message from a plugin that has access to the Jenkins HTTP API.
Timeline
Published on: 10/19/2022 16:15:00 UTC
Last modified on: 10/21/2022 03:41:00 UTC