[JIRA] (JENKINS-58734) DefaultCrumbIssuer should use more secure hashing algorithm

8 views
Skip to first unread message

boards@gmail.com (JIRA)

unread,
Jul 30, 2019, 3:11:01 PM7/30/19
to jenkinsc...@googlegroups.com
Matt Sicker started work on Improvement JENKINS-58734
 
Change By: Matt Sicker
Status: Open In Progress
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

boards@gmail.com (JIRA)

unread,
Jul 30, 2019, 3:11:02 PM7/30/19
to jenkinsc...@googlegroups.com
Matt Sicker created an issue
 
Jenkins / Improvement JENKINS-58734
DefaultCrumbIssuer should use more secure hashing algorithm
Issue Type: Improvement Improvement
Assignee: Matt Sicker
Components: core
Created: 2019-07-30 19:10
Priority: Minor Minor
Reporter: Matt Sicker

The default crumb issuer for Jenkins uses an MD5 hash of some state data to create a crumb for users. This may be hypothetically vulnerable to brute forcing of MD5 hashes to form a valid crumb if the crumb's state is predictable to some level of detail (unsure on the specifics, hence why it's just hypothetical). This is most predictable when the administrator excludes remote IP address and session ID information from being used to seed the crumb, so it's a somewhat contrived scenario potentially. This can be hardened by simply updating the message digest algorithm chosen. Since all JDKs must support SHA-256 as well, this seems like a reasonable update.

boards@gmail.com (JIRA)

unread,
Jul 30, 2019, 4:42:01 PM7/30/19
to jenkinsc...@googlegroups.com

boards@gmail.com (JIRA)

unread,
Jul 30, 2019, 4:42:02 PM7/30/19
to jenkinsc...@googlegroups.com
Change By: Matt Sicker
Status: In Progress Review

dbeck@cloudbees.com (JIRA)

unread,
Aug 20, 2019, 12:27:04 PM8/20/19
to jenkinsc...@googlegroups.com
Change By: Daniel Beck
Status: In Review Resolved
Resolution: Fixed
Released As: 2.190
Reply all
Reply to author
Forward
0 new messages