A recently discovered vulnerability affecting Internet-exposed Jenkins servers has caused concern as most of these servers remain unpatched and are at risk of exploitation. Identified as CVE-2024-23897, the vulnerability can lead to remote code execution and affects built-in Jenkins command line interface (CLI). The Jenkins infrastructure team released updated versions of the software on Jan. 24 in an effort to address the vulnerability.
Following the release of the updated versions and the disclosure of the vulnerability, proof-of-concept (PoC) exploit code for the flaw has surfaced, enabling potential attackers to exploit the vulnerability. According to reports from the nonprofit ShadowServer organization, approximately 45,000 Internet-exposed instances of Jenkins remain vulnerable to CVE-2024-23897, including around 12,000 instances in the US and a similar number in China.
Jenkins, a popular platform used by many enterprise software development teams, is often utilized to automate repetitive tasks in software development, encompassing processes such as testing, code quality checks, security scanning, and deployment. However, the vulnerability present in the Jenkins CLI command parser feature allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.
The potential impact of the vulnerability is significant, as it enables an attacker to access entire files with Overall/Read permission, which many Jenkins users have. Even without this permission, attackers can read the first few lines of files. Additionally, binary files containing cryptographic keys used for various Jenkins features are also at risk, potentially leading to remote code execution, decryption of secrets stored in Jenkins, data deletion, or Java heap dump downloads.
SonarSource researchers who discovered the vulnerability confirmed its exploitability and revealed that even unauthenticated users could obtain at least read permission on Jenkins under certain conditions. Although there is a certain level of complexity involved in exploiting the vulnerability to achieve code execution, the prospect of escalation depends on the specific Jenkins instance.
To address the vulnerability, organizations are strongly recommended to upgrade to the new Jenkins versions 2.442 and LTS version 2.426.3 or disable CLI access if immediate upgrading is not feasible. Sarah Jones, a cyber threat intelligence research analyst at Critical Start, emphasized the importance of prompt patching, cautioning that unpatched systems are vulnerable to data theft, system compromise, disrupted pipelines, and compromised software releases.
In addition to patching, Jones recommends implementing a least-privilege model, vulnerability scanning, continuous monitoring for suspicious activities, and promoting security awareness among developers and administrators. As the risk posed by the vulnerability remains high, organizations using Jenkins must prioritize implementing necessary security measures to mitigate potential threats.