CVE-2022-0538: 
Java vulnerability analysis and mitigation

Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom XStream converters that have not been updated to apply the protections for the vulnerability CVE-2021-43859 and allow unconstrained resource usage. The vulnerability was discovered and disclosed in February 2022, affecting the Jenkins automation server's XML processing capabilities (Jenkins Advisory).

The vulnerability stems from the XStream library used by Jenkins to serialize and deserialize various XML files, including global and job config.xml, build.xml, and other configuration files. The issue specifically relates to custom collection converters that weren't properly implementing DoS protection measures. The vulnerability has a CVSS v3.1 base score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

Attackers able to submit crafted XML files to Jenkins for parsing as configuration (e.g., through the POST config.xml API) can cause a denial of service (DoS). The vulnerability affects the system's ability to process XML configurations, potentially disrupting Jenkins operations (Jenkins Advisory).

The vulnerability is fixed in Jenkins 2.334 and LTS 2.319.3. The fix includes updating the XStream library version and implementing proper DoS detection in Jenkins-specific collection converters. For systems with complex configurations experiencing false positives, administrators can adjust the Java system property hudson.util.XStream2.collectionUpdateLimit to specify the allowed processing time for XML files, or set it to -1 to disable the protection entirely (Jenkins Advisory).