A critical vulnerability in open source automation tool Jenkins could allow permission checks to be bypassed through the use of specially-crafted URLs . Jenkins uses the Stapler web framework for HTTP request handling , which uses reflection to dispatch incoming web requests to controller code . This means that any public methods that start with get and include string and integer parameters are exposed to the web server . Because this is a common naming convention , this has led to multiple internal Jenkins methods being inadvertently exposed . The precise impact of this isn ’ t clear . The advisory notes that code execution could be a possible outcome – though on closer inspection , this seems to be a worst-case scenario . “ To clarify , the vulnerability we addressedVulnerability-related.PatchVulnerabilityhad nothing to do with arbitrary code execution , but was rather an issue discoveredVulnerability-related.DiscoverVulnerabilityby the Jenkins security team that allowed a small subset of existing Jenkins code to be invoked by a remote client , ” Daniel Beck , Jenkins security officer , told The Daily Swig in an email . “ While the known impact is pretty limited , we felt that the layer at which the vulnerability existed , and its potential warranted a higher score. ” These potential attacks include unauthenticated users being able to invalidate sessions when running with the built-in server , and users with overall/read permissions being able to create new user objects in memory . The advisory reads : “ Given the vast potential attack surface , we fully expect other attacks , that we are not currently aware of , to be possible on Jenkins releases that do not have this fix appliedVulnerability-related.PatchVulnerability. “ This is reflected in the high score we assignedVulnerability-related.DiscoverVulnerabilityto this issue , rather than limiting the score to the impact through known issues. ” Beck added : “ Jenkins users should always keep their instances up to date . In this case , we releasedVulnerability-related.PatchVulnerabilityupdates for two LTS lines simultaneously for the first time , so admins could applyVulnerability-related.PatchVulnerabilitythe update without having to go through a major version jump . “ We strive to fixVulnerability-related.PatchVulnerabilityall security vulnerabilities in Jenkins and plugins in a timely manner. ” Reflection is also used by Apache Struts , via the OGNL library . Struts has sufferedVulnerability-related.DiscoverVulnerabilitya number of serious security flaws in recent years . In 2017 , a vulnerability in the framework was exploitedVulnerability-related.DiscoverVulnerabilityto exposeAttack.Databreachthe details of up to 148 million Equifax customers . Another flaw , revealedVulnerability-related.DiscoverVulnerabilityin August 2018 , could lead to remote code execution . These issues underline the dangers of using reflection with untrusted data , and application architects would do well to avoid this unsafe practice .
Microsoft Internet Information Services ( IIS ) 6.0 is vulnerableVulnerability-related.DiscoverVulnerabilityto a zero-day Buffer Overflow vulnerability ( CVE-2017-7269 ) due to an improper validation of an ‘ IF ’ header in a PROPFIND request . A remote attacker could exploit this vulnerability in the IIS WebDAV Component with a crafted request using PROPFIND method . Successful exploitation could result in denial of service condition or arbitrary code execution in the context of the user running the application . According to the researchers who foundVulnerability-related.DiscoverVulnerabilitythis flaw , this vulnerability was exploitedVulnerability-related.DiscoverVulnerabilityin the wild in July or August 2016 . Other threat actors are now in the stages of creating malicious code based on the original proof-of-concept ( PoC ) code . Web Distributed Authoring and Versioning ( WebDAV ) is an extension of the HTTP protocol that allows clients to perform remote Web content authoring operations . WebDAV extends the set of standard HTTP methods and headers allowed for the HTTP request . Few example of WebDAV methods are COPY , LOCK , MKCOL , PROPFIND , UNLOCK etc . This vulnerability is exploitedVulnerability-related.DiscoverVulnerabilityusing the PROPFIND method and IF header . The PROPFIND method retrieves properties defined on the resource identified by the Request-URI . All the WebDAV-Compliant resources must support the PROPFIND method . The IF header handles the state token as well as the ETags . It makes the request conditional by supplying a series of state lists with conditions that match tokens and ETags to specific resource . If all states present in the IF header fail , the request fails with 412 ( Precondition Failed ) status
Having had more than a week to digest Cloudbleed ’ s causes and impact , Cloudflare CEO Matthew Prince assessed the damage yesterday in a lengthy post-mortem as relatively low . Prince saidVulnerability-related.DiscoverVulnerabilitythere is no evidence the vulnerability , which leaked customer data from memory , was exploitedVulnerability-related.DiscoverVulnerabilityby attackers . The bug , however , was triggered more than 1.2 million times from 6,500 sites that met the criteria under which it could be exploitedVulnerability-related.DiscoverVulnerability. In the meantime , Cloudflare continues to work with Google and other search engine providers to scrub cached sites that could contain any leaked data from memory . “ We ’ ve successfully removed more than 80,000 unique cached pages . That underestimates the total number because we ’ ve requested search engines purge and recrawl entire sites in some instances , ” Prince said . Prince said leaksAttack.Databreachhave included internal Cloudflare headers and customer cookies , but no evidence of passwords , encryption keys , payment card data or health records among the leaksAttack.Databreach. The vulnerability was privately disclosedVulnerability-related.DiscoverVulnerabilityFeb 17 by Google Project Zero researcher Tavis Ormandy , who reported that he did see crypto keys , passwords , POST data and HTTPS requests for other Cloudflare-hosted sites among data from other requests . Ormandy initially said in a tweet that Cloudflare was leakingAttack.Databreachcustomer HTTPS sessions for Uber , FitBit , OKCupid and others , all of which said the impact of Cloudbleed on their data was minimal . “ While the bug was very bad and had the potential to be much worse , ” Prince said . Prince explained that the bug was triggered only when a webpage moving through the Cloudflare network contained HTML ending with an un-terminated attribute , and if a number of Cloudflare features were turned on . Those features hand in hand with a Cloudflare stream parser used to scan and modify content in real time such as rewriting HTTP links to HTTPS—a feature called Automatic HTTPS Rewrites—or hiding email addresses on a page from spammers—a feature called Email Address Obfuscation . The need to end with an un-terminated attribute was key . “ When a page for a particular customer is being parsed it is stored in memory on one of the servers that is a part of our infrastructure . Contents of the other customers ’ requests are also in adjacent portions of memory on Cloudflare ’ s servers , ” Prince said . “ The bug caused the parser , when it encountered un-terminated attribute at the end of a page , to not stop when it reached the end of the portion of memory for the particular page being parsed . Instead , the parser continued to read from adjacent memory , which contained data from other customers ’ requests . The contents of that adjacent memory were then dumpedAttack.Databreachonto the page with the flawed HTML ” . Anyone accessing one of those pages would see the memory dump , looking a lot like random text , below , Prince said . An attacker would need to pound one of those sites with numerous requests to trigger the bug and then record the results , getting a mix of useless data and sensitive information , Prince said . “ The nightmare scenario we have been worried about is if a hacker had been aware of the bug and had been quietly mining data before we were notifiedVulnerability-related.DiscoverVulnerabilityby Google ’ s Project Zero team and were able to patchVulnerability-related.PatchVulnerabilityit , ” Prince said . “ For the last 12 days we ’ ve been reviewing our logs to see if there ’ s any evidence to indicate that a hacker was exploitingVulnerability-related.DiscoverVulnerabilitythe bug before it was patchedVulnerability-related.PatchVulnerability. We ’ ve found nothing so far to indicate that was the case ” . Prince said Cloudflare customers who find any leaked cached data can send a link to the caches to parserbug @ cloudflare [ . ] com . Over 2,000 WordPress sites are infected as part of a keylogger campaign that leverages an old malicious script .