Monday, November 11, 2024
HomeCVE/vulnerabilityCritical Jenkins Vulnerabilities Expose Servers To RCE Attack

Critical Jenkins Vulnerabilities Expose Servers To RCE Attack

Published on

Malware protection

Jenkins, an open source automation server, has been found to have two security issues, one of which is a critical flaw that, if exploited, might lead to remote code execution (RCE).

An attacker may be able to read arbitrary files from the Jenkins controller file system, which could disclose confidential data or open the door to more exploitation.

“This is a critical vulnerability as the information obtained can be used to increase access up to and including remote code execution (RCE)”, reads the Jenkins Security Advisory.

- Advertisement - SIEM as a Service

Overview Of The Vulnerability

The critical arbitrary file read vulnerability is identified as  CVE-2024-43044, which lets attackers with Agent/Connect permission, agent processes, and code executing on agents read arbitrary files from the Jenkins controller file system.

Jenkins employs the Remoting library to facilitate communication between the controller and agents; this library is usually agent.jar or remoting.jar. 

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

For agents to execute Java objects (build steps, etc.) sent by the controller, this library enables agents to load classes and classloader resources from the controller.

Using the Channel#preloadJar API, Jenkins plugins can use Remoting to send complete jar files to agents in addition to individual class and resource files.

Using the `ClassLoaderProxy#fetchJar} method in the Remoting library, agent processes can read arbitrary files from the Jenkins controller file system in Jenkins 2.470 and prior, as well as LTS 2.452.3 and earlier.

This issue was reported by Yangyue and Jiangchenwei (Nebulalab).

Furthermore, a medium severity Missing permission check vulnerability was identified as CVE-2024-43045. 

Because an HTTP endpoint does not conduct a permission check, attackers with Overall/Read permission can read other users’ “My Views” using Jenkins 2.470 and older, as well as LTS 2.452.3 and earlier.

“This allows attackers with Overall/Read permission to access other users’ “My Views”. Attackers with global View/Configure and View/Delete permissions are also able to change other users’ “My Views”, reads the advisory.

Access to a user’s “My Views” is limited to the owning user and administrators in Jenkins 2.471, LTS 2.452.4, and LTS 2.462.1.

This problem was reported by CloudBees, Inc.’s Daniel Beck.

Affected Versions 

  • Jenkins weekly up to and including 2.470
  • Jenkins LTS up to and including 2.452.3

Fixes Available

  • Jenkins weekly should be updated to version 2.471
  • Jenkins LTS should be updated to version 2.452.4 or 2.462.1

All prior versions are considered to be affected by these vulnerabilities. Therefore, updating to the most recent version is advised to avoid possible risks.

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download

Kaaviya
Kaaviya
Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Latest articles

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...