Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-39547

Corrupt node jar cache causes node to malfunction

      Remoting does not check whether the cached file's checksum matches before using it[1]. User with build permission can use this to inject new classes or different class implementations/resource content manipulating the cache and waiting for agent to restart.

      This can be used for denial of service attack against nodes as they will connect to Jenkins correctly but refuse to fulfill remoting requests with strange exceptions.

      More sophisticated attack can trick agent to execute custom code and therefore produce incorrect results, try to abuse existing {{SlaveToMasterCallable}}s or generate malicious files/reports to be published on masters.

      There do not seem to be a way to load those classes to master JVM or send new callable there if slave2master security is on, AFAIK.

      [1] https://github.com/jenkinsci/remoting/blob/0d8a2af7cffa6aa5a6f2675e810b286a984af04e/src/main/java/hudson/remoting/FileSystemJarCache.java#L65-70

          [JENKINS-39547] Corrupt node jar cache causes node to malfunction

          Oliver Gondža created issue -
          Oliver Gondža made changes -
          Summary Original: Corrpt node jar cache causes node to malfunction New: Corrupt node jar cache causes node to malfunction
          Oliver Gondža made changes -
          Component/s New: remoting [ 15489 ]
          Component/s Original: remoting [ 21447 ]
          Key Original: SECURITY-357 New: JENKINS-39547
          Workflow Original: Security v1.2 [ 213281 ] New: JNJira + In-Review [ 213302 ]
          Project Original: Security Issues [ 10180 ] New: Jenkins [ 10172 ]
          Status Original: Untriaged [ 10001 ] New: Resolved [ 5 ]
          Oliver Gondža made changes -
          Status Original: Resolved [ 5 ] New: Reopened [ 4 ]
          Oliver Gondža made changes -
          Status Original: Reopened [ 4 ] New: In Progress [ 3 ]
          Oliver Gondža made changes -
          Remote Link New: This issue links to "Jenkins #2620 (Web Link)" [ 15026 ]
          Oliver Gondža made changes -
          Remote Link New: This issue links to "Remoting #130 (Web Link)" [ 15027 ]
          SCM/JIRA link daemon made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: In Progress [ 3 ] New: Resolved [ 5 ]
          Oleg Nenashev made changes -
          Labels New: lts-candidate
          Oliver Gondža made changes -
          Labels Original: lts-candidate New: 2.32. lts-candidate
          Oliver Gondža made changes -
          Labels Original: 2.32. lts-candidate New: 2.32.2-fixed lts-candidate

            olivergondza Oliver Gondža
            olivergondza Oliver Gondža
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: