Critical Jenkins Vulnerabilities Expose Servers To RCE Attack

Jenkins, an open source automation server, has been found to have two security issues, one of which is a critical flaw that, if exploited, might lead to remote code execution (RCE).

An attacker may be able to read arbitrary files from the Jenkins controller file system, which could disclose confidential data or open the door to more exploitation.

“This is a critical vulnerability as the information obtained can be used to increase access up to and including remote code execution (RCE)”, reads the Jenkins Security Advisory.

Overview Of The Vulnerability

The critical arbitrary file read vulnerability is identified as  CVE-2024-43044, which lets attackers with Agent/Connect permission, agent processes, and code executing on agents read arbitrary files from the Jenkins controller file system.

Jenkins employs the Remoting library to facilitate communication between the controller and agents; this library is usually agent.jar or remoting.jar. 

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

For agents to execute Java objects (build steps, etc.) sent by the controller, this library enables agents to load classes and classloader resources from the controller.

Using the Channel#preloadJar API, Jenkins plugins can use Remoting to send complete jar files to agents in addition to individual class and resource files.

Using the `ClassLoaderProxy#fetchJar} method in the Remoting library, agent processes can read arbitrary files from the Jenkins controller file system in Jenkins 2.470 and prior, as well as LTS 2.452.3 and earlier.

This issue was reported by Yangyue and Jiangchenwei (Nebulalab).

Furthermore, a medium severity Missing permission check vulnerability was identified as CVE-2024-43045. 

Because an HTTP endpoint does not conduct a permission check, attackers with Overall/Read permission can read other users’ “My Views” using Jenkins 2.470 and older, as well as LTS 2.452.3 and earlier.

“This allows attackers with Overall/Read permission to access other users’ “My Views”. Attackers with global View/Configure and View/Delete permissions are also able to change other users’ “My Views”, reads the advisory.

Access to a user’s “My Views” is limited to the owning user and administrators in Jenkins 2.471, LTS 2.452.4, and LTS 2.462.1.

This problem was reported by CloudBees, Inc.’s Daniel Beck.

Affected Versions

• Jenkins weekly up to and including 2.470
• Jenkins LTS up to and including 2.452.3

Fixes Available

• Jenkins weekly should be updated to version 2.471
• Jenkins LTS should be updated to version 2.452.4 or 2.462.1

All prior versions are considered to be affected by these vulnerabilities. Therefore, updating to the most recent version is advised to avoid possible risks.

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download