Potential information disclosure and remote code execution via TLS bypass due to Java ECDSA cryptographic bypass vulnerability
Affected product(s)
- Gradle Enterprise Test Distribution Agent JAR (when using a vulnerable Java version)
- Gradle Enterprise Build Cache Node JAR (when using a vulnerable Java version)
- Gradle Enterprise Admin CLI JAR (when using a vulnerable Java version)
- Gradle Enterprise Scans Copy CLI JAR (when using a vulnerable Java version)
Severity
High
Published at
2022-04-22
Related CVE ID(s)
Description
A critical Java security vulnerability announced on the 19th of March 2022 allows trivial bypass of cryptographic security measures when using the ECDSA encryption algorithm.
Gradle Enterprise server, and all associated components distributed as container images, include a Java runtime of version 11, which is not vulnerable.
The Gradle Enterprise Test Distribution Agent, Gradle Enterprise Build Cache Node, Gradle Enterprise Admin CLI tool and Gradle Enterprise Scans Copy CLI tool are available as both container images and standalone JARs. If you are using any of the standalone JARs, your usage may be vulnerable if you are executing it with a vulnerable Java version.
These components make HTTPS requests to various services. When using a vulnerable Java version, any man-in-the-middle proxy or network infrastructure can intercept these requests nullifying the privacy offered by TLS.
For the Gradle Enterprise Test Distribution Agent and Gradle Enterprise Build Cache Node, an attacker able to intercept such network traffic and reverse engineer the proprietary control protocols used between these components and Gradle Enterprise could obtain build artifacts being transmitted or inject malicious artifacts.
For the Gradle Enterprise Admin CLI tool, an attacker able to intercept such network traffic between the tool and the Kubernetes cluster may observe Kubernetes cluster credentials or observe or interfere with administrative functions, allowing destructive operations on the cluster or Gradle Enterprise.
For the Gradle Enterprise Scans Copy CLI tool, an attacker able to intercept such network traffic could observe authentication credentials that allow access to scan publishing and data export. Furthermore, if able to reverse engineer the proprietary protocol used, the attacker could interfere with scan copying or inject illegitimate scan data.
Mitigation
Gradle Enterprise server installations are not vulnerable, and no mitigation is necessary. Likewise, usages of Gradle-provided container images are also not vulnerable.
Users of the Gradle Enterprise Test Distribution Agent, Gradle Enterprise Build Cache Node, Gradle Enterprise Admin CLI or Gradle Enterprise Scans Copy CLI standalone JARs should review the Java runtime in use to run these components and update if necessary.