Jenkins Tomcat Secure and HttpOnly flags are not set for cookies

2015.01.22
Credit: Yann Rouillard
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2014-9634 | CVE-2014-9635
CWE: N/A

Dear Maintainer, The Jenkins currently shipped with Debian doesn't correctly set the HttpOnly and Secure options on session cookies. The first option prohibits the cookies to be read by scripts, thus preventing XSS scripts vulnerabilities from stealing sessions. The second option prohibits the session cookie to be sent over clear HTTP connection, thus preventing malvolent users to steal session cookie while redirecting users to HTTP access. There is already an upstream bug for this problem located at this url: https://issues.jenkins-ci.org/browse/JENKINS-25019 with a proposed fix that only adresses the HttpOnly issue for Tomcat. The problem is reported in Tomcat log with the following lines: WARNING: Failed to set secure cookie flag java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at jenkins.model.JenkinsLocationConfiguration.updateSecureSessionFlag(JenkinsLocationConfiguration.java:123) at jenkins.model.JenkinsLocationConfiguration.load(JenkinsLocationConfiguration.java:71) at jenkins.model.JenkinsLocationConfiguration.<init>(JenkinsLocationConfiguration.java:46) at jenkins.model.JenkinsLocationConfiguration$$FastClassByGuice$$a6785528.newInstance(<generated>) at net.sf.cglib.reflect.FastConstructor.newInstance(FastConstructor.java:40) at com.google.inject.internal.DefaultConstructionProxyFactory$1.newInstance(DefaultConstructionProxyFactory.java:61) at hudson.ExtensionFinder$GuiceFinder$FaultTolerantScope$1.get(ExtensionFinder.java:429) [...] at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:222) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1566) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1523) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.IllegalStateException: Property HttpOnly can not be added to SessionCookieConfig for context /jenkins as the context has been initialised at org.apache.catalina.core.ApplicationSessionCookieConfig.setHttpOnly(ApplicationSessionCookieConfig.java:107) ... 90 more Thanks in advance for your help on this issue. Yann Rouillard

References:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top