Subject: jenkins-tomcat: Secure and HttpOnly flags are not set for cookies with Jenkins on Tomcat Package: jenkins-tomcat Version: 1.565.3-2.1 Severity: grave Tags: security
Dear Maintainer, The Jenkins currently shipped with Debian doesn't correctly set the HttpOnly and Secure options on session cookies. The first option prohibits the cookies to be read by scripts, thus preventing XSS scripts vulnerabilities from stealing sessions. The second option prohibits the session cookie to be sent over clear HTTP connection, thus preventing malvolent users to steal session cookie while redirecting users to HTTP access. There is already an upstream bug for this problem located at this url: https://issues.jenkins-ci.org/browse/JENKINS-25019 with a proposed fix that only adresses the HttpOnly issue for Tomcat. The problem is reported in Tomcat log with the following lines: WARNING: Failed to set secure cookie flag java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at jenkins.model.JenkinsLocationConfiguration.updateSecureSessionFlag(JenkinsLocationConfiguration.java:123) at jenkins.model.JenkinsLocationConfiguration.load(JenkinsLocationConfiguration.java:71) at jenkins.model.JenkinsLocationConfiguration.<init>(JenkinsLocationConfiguration.java:46) at jenkins.model.JenkinsLocationConfiguration$$FastClassByGuice$$a6785528.newInstance(<generated>) at net.sf.cglib.reflect.FastConstructor.newInstance(FastConstructor.java:40) at com.google.inject.internal.DefaultConstructionProxyFactory$1.newInstance(DefaultConstructionProxyFactory.java:61) at hudson.ExtensionFinder$GuiceFinder$FaultTolerantScope$1.get(ExtensionFinder.java:429) [...] at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:222) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1566) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1523) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.IllegalStateException: Property HttpOnly can not be added to SessionCookieConfig for context /jenkins as the context has been initialised at org.apache.catalina.core.ApplicationSessionCookieConfig.setHttpOnly(ApplicationSessionCookieConfig.java:107) ... 90 more Thanks in advance for your help on this issue. Yann Rouillard -- System Information: Debian Release: jessie/sid APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.16-2-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages jenkins-tomcat depends on: ii jenkins-common 1.565.3-2 ii tomcat8 8.0.14-1 jenkins-tomcat recommends no packages. jenkins-tomcat suggests no packages. -- Configuration Files: /etc/jenkins/jenkins-tomcat.xml changed [not included] -- no debconf information __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
