Adam Thorn

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.218 and earlier Jenkins LTS versions 2.204.1 and earlier **Description** The issue allows for a UDP amplification reflection denial of service attack on port 33848. This can be exploited by sending a specially crafted UDP packet, which can cause the Jenkins server to generate an infinite cycle of responses until it is restarted. The UDP multicast/broadcast service, enabled by default in affected versions, can be used in an amplification reflection attack, resulting in much larger responses than the initial request. This could be used in a DDoS attack on a Jenkins controller. Within the same network, spoofed UDP packets could also be sent to make two Jenkins controllers go into an infinite loop of replies to one another, thus causing a denial of service. **Recommendations** For Jenkins versions 2.218 and earlier, consider updating to version 2.219 or later, or to LTS version 2.204.2 or later, which disables UDP multicast/broadcast and DNS multicast by default. For administrators that need these features, re-enable them by setting the system property `hudson.DNSMultiCast.disabled` to `false` (for DNS multicast) or the system property `hudson.udp` to `33848`, or another port (for UDP broadcast/multicast), after updating to a non-vulnerable version. As a temporary workaround, consider disabling the UDP multicast/broadcast service by setting the system property `hudson.udp` to a port other than 33848, or by disabling it entirely, until a patch is applied.