Miggo Logo

CVE-2021-22511: SSL/TLS certificate validation unconditionally disabled by Jenkins Micro Focus Application Automation Tools Plugin

4.8

CVSS Score
3.1

Basic Information

EPSS Score
0.26891%
Published
5/24/2022
Updated
12/7/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:hp-application-automation-tools-pluginmaven<= 6.76.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from hardcoded SSL/TLS validation disabling in Service Virtualization connections. The patch introduced a 'trustEveryone' parameter to control validation. Key vulnerable functions are those that previously invoked CommandExecutorFactory.createCommandExecutor() without this parameter:

  1. doTestConnection() in SvServerSettingsGlobalConfiguration.java performed connection tests with forced validation disablement.
  2. createCommandExecutor() in AbstractSvRemoteRunner.java established production connections without validation. The commit diff shows these functions were modified to add the 'trustEveryone' parameter, confirming they were previously insecure by default.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Mi*ro *o*us *ppli**tion *utom*tion Tools Plu*in *.* *n* **rli*r un*on*ition*lly *is**l*s SSL/TLS **rti*i**t* v*li**tion *or *onn**tions to S*rvi** Virtu*liz*tion s*rv*rs. Mi*ro *o*us *ppli**tion *utom*tion Tools Plu*in *.* no lon**r *is**l*s SSL/TLS

Reasoning

T** vuln*r**ility st*mm** *rom **r**o*** SSL/TLS v*li**tion *is**lin* in S*rvi** Virtu*liz*tion *onn**tions. T** p*t** intro*u*** * 'trust*v*ryon*' p*r*m*t*r to *ontrol v*li**tion. K*y vuln*r**l* *un*tions *r* t*os* t**t pr*viously invok** *omm*n**x*