Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-71186

Web application scanners report HTTP vulnerability on socket created by TcpSlaveAgentListener


    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • None
    • 2.417

      TcpSlaveAgentListener responds to HTTP GET requests with a canned "hello" response:

          if (header.startsWith("GET ")) {
              // this looks like an HTTP client
              respondHello(header, s);
      {{    }}}

      Web application scanners can perform GET requests on listening TCP sockets to find potential vulnerabilities. One such check is to ensure the response contains an X-Content-Type-Options header. Jenkins added this header to all HTTP responses back in 2015 to resolve SECURITY-177.

      I don't believe the canned "hello" response from the TcpSlaveAgentListener is exploitable; however, it would be nice to include this header in the canned response so scanners don't flag it as a potential vulnerability going forward.

      The change is simple:

      diff --git a/core/src/main/java/hudson/TcpSlaveAgentListener.java b/core/src/main/java/hudson/TcpSlaveAgentListener.java
      index 99c83866df..dbe280535d 100644
      --- a/core/src/main/java/hudson/TcpSlaveAgentListener.java
      +++ b/core/src/main/java/hudson/TcpSlaveAgentListener.java
      @@ -315,6 +315,7 @@ public final class TcpSlaveAgentListener extends Thread {
                       if (header.startsWith("GET / ")) {
                           response = "HTTP/1.0 200 OK\r\n" +
                                   "Content-Type: text/plain;charset=UTF-8\r\n" +
      +                            "X-Content-Type-Options: nosniff\r\n" +
                                   "\r\n" +
                                   "Jenkins-Agent-Protocols: " + getAgentProtocolNames() + "\r\n" +
                                   "Jenkins-Version: " + Jenkins.VERSION + "\r\n" +

            jimliu Zhun Wei
            tyjad John Smith
            0 Vote for this issue
            1 Start watching this issue