This can result in a silent security breach, as an attacker could use a certificate which was issued for another hostname with the same organizational authority.
In this Jenkins XSS bugfix release, we have decided to globally disable certificate validation only for the case where the controller’s hostname matches the certificate’s hostname.
If the controller’s hostname does not match the certificate’s hostname, the plugin will still disable SSL/TLS validation for the entire Jenkins JVM. This means that if an attacker is able to inject an SSL/TLS certificate which has the same hostname as the controller’s hostname, the vulnerability will still be present. However, an attacker would have a much harder time trying to use this certificate to compromise the Jenkins server.
In order to find out whether an SSL/TLS certificate has the same hostname as the JVM’s hostname, you can run the following command against the server certificate: openssl x509 -in server.crt -noout -hash The output of this command will be the fingerprint of the server certificate. To disable certificate validation globally for the JVM, you can set the validateSSLCertificateHostname parameter to false.
Checklist - to find out whether you are vulnerable to this XSS bugfix release
You can find out whether you are vulnerable to this XSS bugfix release by running the following command against the server certificate: openssl x509 -in server.crt -noout -hash The output of this command will be the fingerprint of the server certificate.
If the output of this command is two fingerprints (e.g., "sha256/A1:65:B2:8F:DC..."), then you are vulnerable to this bugfix release and should disable certificate validation globally for your JVM. If the output is only one fingerprint (e.g., "sha256/E5:D0:8A:BE:6D..."), then you are not vulnerable to this bugfix release and should continue using SSL/TLS validation as normal.
If your hostname matches your certificate’s hostname, you can set validateSSLCertificateHostname parameter to false in order to disable SSL/TLS validation globally for your JVM.
plugin: disable SSL/TLS validation for the JVM only when the controller’s hostname matches the certificate’s hostname
This setting can be found at the following location:
1. Manage Jenkins XSS Plugins Configuration page
2. Manage Jenkins XSS Plugin Configuration page in the Global section
3. Manage Jenkins XSS Plugin Configuration in a particular JNLP plugin
Check the version of Jenkins you have installed
The vulnerability has been fixed in Jenkins XSS-20121020-97.
If you are running a version of Jenkins which is earlier than this, it is highly recommended that you upgrade to the latest version immediately. If you cannot upgrade your Jenkins server, you can disable SSL/TLS validation for the entire JVM by setting validateSSLCertificateHostname to false.
Disable SSL/TLS certificate validation for the Jenkins JVM only if the controller’s hostname match the certificate’s hostname
If the controller’s hostname does not match the certificate’s hostname, the plugin will still disable SSL/TLS validation for the entire Jenkins JVM. This means that if an attacker is able to inject an SSL/TLS certificate which has the same hostname as the controller’s hostname, the vulnerability will still be present. However, an attacker would have a much harder time trying to use this certificate to compromise the Jenkins server.
In order to find out whether an SSL/TLS certificate has the same hostname as the JVM’s hostname, you can run the following command against the server certificate: openssl x509 -in server.crt -noout -hash The output of this command will be the fingerprint of the server certificate. To disable certificate validation globally for the JVM, you can set validateSSLCertificateHostname to false.
Timeline
Published on: 11/15/2022 20:15:00 UTC
Last modified on: 11/18/2022 04:49:00 UTC