ACSC presses enterprises to patch Jenkins

The Australian Cyber Security Centre is warning Australian enterprises to immediately patch vulnerabilities in the Jenkins continuous integration/continuous deployment software that were first disclosed last week.

According to the Jenkins advisory, two vulnerabilities were found in the system: the critical-rated CVE-2024-23897, and the high-rated CVE-2024-23897.

CVE-2024-23897 arises through Jenkins’ use of the args4j library to parse command arguments and options in the command line interface (CLI).

“This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it,” the advisory stated.

“This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.”

The Jenkins team identified a large number of remote code execution (RCE) vectors this enables, including via resource root URLs, via the “remember me” cookie, using XSS, or bypassing CSRF protection.

From there, attack impacts included decrypting secrets, deleting any item, and downloading Java heap dumps of the Jenkins controller process, or any agent process.

Proof-of-concept code has been published at two GitHub repositories.

The ACSC’s warning probably arises from the large number of vulnerable systems identified by the Shadowserver Foundation.

“Around 45,000 exposed Jenkins instances vulnerable to CVE-2024-23897 (Arbitrary file read vulnerability through the CLI can lead to RCE). If you run Jenkins and receive an alert from us, make sure to read Jenkins advisory,” Shadowserver posted on X.

The high-rated CVE-2024-23898 enables cross-site WebSocket hijacking in the command line interface.

The Australian Cyber Security Centre is “also tracking CVE-2024-23899, CVE-2024-23900, CVE-2024-23901, CVE-2024-23901, 2024-23902, 2024-23903, CVE-2023-6148, CVE-2023-6147, CVE-2024-23905 and CVE-2024-23904 affecting Jenkins products.”

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts