Internet-exposed Jenkins servers remain unpatched against a critical, recently disclosed arbitrary file-read vulnerability for which proof-of-exploit code is now publicly available.
CVE-2024-23897 affects the built-in Jenkins command line interface and can lead to remote code execution on affected systems.
The Jenkins infrastructure team disclosed the vulnerability, and released updated version software, on Jan. 24.
Proof-of-Concept Exploits Since then, proof-of-concept exploit code has become available for the flaw and there are some reports of attackers actively attempting to exploit it.
On Jan. 29, the nonprofit ShadowServer organization, which monitors the Internet for malicious activity, reported observing around 45,000 Internet-exposed instances of Jenkins that are vulnerable to CVE-2024-23897.
Many enterprise software development teams use Jenkins to build, test, and deploy applications.
Jenkins allows organizations to automate repetitive tasks during software development - such as testing, code quality checks, security scanning, and deployment - during the software development process.
Jenkins is also often used in continuous integration and continuous deployment environments.
Developers use the Jenkins CLI to access and manage Jenkins from a script or a shell environment.
CVE-2024-23897 is present in a CLI command parser feature that is enabled by default on Jenkins versions 2.441 and earlier and Jenkins LTS 2.426.2 and earlier.
The flaw allows an attacker with Overall/Read permission - something that most Jenkins users would require - to read entire files.
An attacker without that permission would still be able to read the first few lines of files, the Jenkins team said in the advisory.
Multiple Vectors for RCE The vulnerability also puts at risk binary files containing cryptographic keys used for various Jenkins features, such as credential storage, artifact signing, encryption and decryption, and secure communications.
In situations where an attacker might exploit the vulnerability to obtain cryptographic keys from binary files, multiple attacks are possible, the Jenkins advisory warned.
When attackers can access cryptographic keys in binary files via CVE-2024-23897 they can also decrypt secrets stored in Jenkins, delete data, or download a Java heap dump, the Jenkins team said.
Researchers from SonarSource who discovered the vulnerability and reported it to the Jenkins team described the vulnerability as allowing even unauthenticated users to have at least read permission on Jenkins under certain conditions.
The new Jenkins versions 2.442 and LTS version 2.426.3 address the vulnerability.
Patch Now Sarah Jones, cyber-threat intelligence research analyst at Critical Start, says organizations using Jenkins would do well not to ignore the vulnerability.
One reason for the concern is the fact that DevOps tools such as Jenkins can often contain critical and sensitive data that developers might bring in from production environments when building or developing new applications.
A case in point occurred last year when a security researcher found a document containing 1.5 million individuals on the TSA's no-fly list sitting unprotected on a Jenkins server, belonging to Ohio-based CommuteAir.
This Cyber News was published on www.darkreading.com. Publication date: Mon, 29 Jan 2024 22:00:19 +0000