2nd Edition

Tracking the trends and news for IT and IT Security

Paul Davis

Time running out to patch Jenkins CI/CD server vulnerability

Time running out to patch Jenkins CI/CD server vulnerability>
CSO Online – Lucian Constantin
Security researchers have issued warnings about attacks that are targeting Jenkins servers with a critical remote code execution vulnerability, which was patched recently.
Proof-of-concept exploits for the vulnerability are available and attackers have initiated scanning for vulnerable Jenkins servers, indicating an imminent threat.
According to scans conducted with the Shodan service, over 75,000 Jenkins servers are exposed online.
Jenkins, an open-source automation server commonly used for continuous integration and continuous delivery (CI/CD) pipelines, holds an estimated market share of around 44% due to its integrations with various services and tools.
The critical security flaw, identified as CVE-2024-23897, is an arbitrary file read issue that can allow attackers to read entire or partial binary files from the file system.
This could enable attackers to extract secret keys, escalate privileges to admin, and execute malicious code.
The vulnerability was patched in Jenkins versions 2\)442 and LTS 2\)426\)3, along with several other high- and medium-severity flaws.
The vulnerability stems from Jenkins’ use of the args4j library to parse command arguments and options via the Jenkins command-line interface (CLI) feature.
The flaw exposes file contents if the @ character followed by a file path is included in a command argument, potentially leading to exposure of secrets.
Mitigating the vulnerability involves disabling the command parser that exposes file contents, though this may cause issues for certain deployments.
Therefore, the use of this mechanism is discouraged on Jenkins instances that are accessible over the network by non-administrators.
Another mitigation method is to disable access to the Jenkins CLI until the patches can be applied.
Security researchers have highlighted that proof-of-concept exploits for this vulnerability are available on GitHub, and there have been reports of exploit activities already occurring.
Link: https://www.csoonline.com/article/1302456/time-running-out-to-patch-vulnerability-in-jenkins-ci-cd-server.html

Categories:

Tags: