Jervis Library Weak Randomness Vulnerability in Timing Attack Mitigation

A vulnerability exists in the Jervis library, used for Job DSL plugin scripts and shared Jenkins pipeline libraries, in versions prior to 2.2. The issue arises because the library relies on java.util.Random(), which is not cryptographically secure, for timing attack mitigation. This flaw could allow an attacker to predict random delays and potentially exploit timing attacks.

Impact

The vulnerability could be exploited to perform timing attacks, taking advantage of the predictable random delays introduced by the weak randomness source.

Reproduction

The vulnerability can be reproduced by using Jervis versions prior to 2.2 and observing the timing of operations that rely on the affected randomization method. This can be done by creating a CipherMap object with a private key and checking the default hash_iterations value, which should be 5000. Afterward, the 'plainMap' can be set with some data, and when the 'toString()' method is called, it will return a base64 encoded string of the 'CipherMap' object. This process can be timed to demonstrate the vulnerability.

Remediation

Users can upgrade to Jervis version 2.2, which addresses the vulnerability by replacing java.util.Random() with SecureRandom for timing randomization.