This issue affects Jenkins Enterprise installations that have enabled any of the following plugins: Dynatrace, Goss, Monitis, Pingdom, Protobox, Scrollwork, SendGrid, Slack, StatsD, Twilio, UptimeRobot, Veetle, Vipul’s, X-Ray, Zapier, or other plugins that use the Jenkins server’s built-in Jenkins API. An attacker could use this vulnerability to set up a fake webhook and end up sending critical information to their own website. Prior to version 1.84.1, Jenkins used the gettimeofday() system call to compare the time of the received webhook token with the time when the webhook token was created. Since the second value of this function is always calculated as compared to the first value, this can be used as an oracle to determine if the two timestamps are equal or not. This oracle, however, is based on the relative time of the computer that performs the comparison. This issue has been addressed by now comparing the time of the received webhook token with the time of the webhook token that is checked for equality. As a result, plugin developers are now required to use the gettimeofday() system call for checking whether the time of the received webhook token is equal to the time of the webhook token that is checked for equality. An attacker could potentially use this issue to craft a fake webhook token
Jenkins security vulnerabilities
Jenkins is an open source automation server with a vast set of plugins that help companies automate their infrastructure. It is used by popular software like Spotify and Netflix, but also hosts Jenkins’ own internal tools for continuous integration and continuous delivery.
Through the use of plugins, Jenkins can be made to do almost anything. However, this also opens up the platform to vulnerabilities that could lead to system compromise. As a result, it is critical for companies using Jenkins to have security awareness training and installation best practices in place prior to the introduction of new plugins.
How Does Jenkins Compare Webhook Tokens?
As mentioned, before version 1.84.1, Jenkins used the gettimeofday() system call to compare the time of the received webhook token with the time when the webhook token was created. Since the second value of this function is always calculated as compared to the first value, this can be used as an oracle to determine if the two timestamps are equal or not. This oracle, however, is based on the relative time of the computer that performs the comparison. In order to address this issue and ensure that plugins cannot use this functionality to monitor information about their own activities, Jenkins now compares the time of a received webhook token with a specified timestamp (timestamp = 1386109916000).
Requirements for this vulnerability
In order to exploit this issue, the attacker needs to know the timestamp of when a webhook token was created. The attacker can then use this information to craft a fake webhook token that has a later timestamp than the one that is checked for equality. In order to be able to exploit this issue, Jenkins needs to be configured with webhooks enabled and configured with webhook tokens being checked for equality. The following plugins are vulnerable:
- Dynatrace
- Goss
- Monitis
- Pingdom
- Protobox
- Scrollwork
- SendGrid
- Slack
- StatsD
- Twilio
- UptimeRobot
- Veetle
- Vipul’s
- Xray
- Zapier
Timeline
Published on: 10/19/2022 16:15:00 UTC
Last modified on: 10/20/2022 19:21:00 UTC