Last month, Jenkins developers released Jenkins version 2.219, where they fixed a vulnerability that is tracked as CVE-2020-2100. Now they are warning that this bug can be used to strengthen DDoS attacks.
The fact is that Jenkins supports two network discovery protocols, namely multicast / broadcast via UDP and DNS Multicast. Both of these protocols are enabled by default and are used so that Jenkins servers can discover each other and work in clusters.
It is well known that UDP is often used to amplify DDoS attacks, and last year, Adam Thorn from Cambridge University discovered that the Jenkins UDP protocol (UDP port 33848) can be used in the same way. That is, abuse will lead to the amplification of DDoS traffic.
As a result, Jenkins developers write that Jenkins servers can be used in DDoS attacks, amplifying them by about 100 times: “a single-byte request to this service will return more than 100 bytes of Jenkins metadata.”
The gain of 100 can be called very dangerous, but journalists at ZDNet claim that everything is not so bad. At the request of the publication, an unnamed specialist in combating DDoS attacks checked this vector of attacks last week. It turned out that, despite the rather high amplification coefficient, such attacks cannot be called reliable, since exploiting the problem on Jenkins servers accessible from the Internet often leads to malfunctions in the latter. In addition, the same error has a side effect: Jenkins servers can be forced to continuously send packets to each other, and as a result they will go into an infinite loop, and ultimately their operation will also be interrupted by the failure that occurred.
However, experts in any case recommend updating Jenkins to version 2.219 or at least blocking any incoming traffic on port 33848.