Jervis Library Deterministic AES Initialization Vector Vulnerability

A vulnerability exists in the Jervis library for Job DSL plugin scripts and shared Jenkins pipeline libraries, prior to version 2.2. The issue arises from a deterministic derivation of the AES initialization vector (IV) from a passphrase, which can lead to the same ciphertext being produced when the same passphrase and plaintext are used. This IV reuse creates a pattern that could be analyzed, significantly reducing the security of the encryption. The vulnerability is considered high if any consumer of the library uses these encryption methods directly.

Impact

The vulnerability allows for the reuse of the AES initialization vector, which can lead to the same ciphertext being produced for identical plaintexts when the same passphrase is used. This pattern can be analyzed, creating a potential risk of decrypting the data or understanding the encrypted content's structure.

Reproduction

The vulnerability can be reproduced by encrypting data with a passphrase using the Jervis library version prior to 2.2. The encryption will use a deterministic IV derived from the passphrase, leading to the same ciphertext being produced for identical plaintexts.

Remediation

Users can upgrade to Jervis version 2.2, where this vulnerability has been addressed by implementing a secure, random IV generation for AES encryption.