The Australian Cyber Security Centre is warning Australian enterprises to immediately patch vulnerabilities in the Jenkins continuous integration/continuous deployment software that were first disclosed last week.
According to the Jenkins advisory, two vulnerabilities were found in the system: the critical-rated CVE-2024-23897, and the high-rated CVE-2024-23897.
CVE-2024-23897 arises through Jenkins’ use of the args4j library to parse command arguments and options in the command line interface (CLI).
“This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it,” the advisory stated.
“This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.”
The Jenkins team identified a large number of remote code execution (RCE) vectors this enables, including via resource root URLs, via the “remember me” cookie, using XSS, or bypassing CSRF protection.
From there, attack impacts included decrypting secrets, deleting any item, and downloading Java heap dumps of the Jenkins controller process, or any agent process.
Proof-of-concept code has been published at two GitHub repositories.
The ACSC’s warning probably arises from the large number of vulnerable systems identified by the Shadowserver Foundation.
“Around 45,000 exposed Jenkins instances vulnerable to CVE-2024-23897 (Arbitrary file read vulnerability through the CLI can lead to RCE). If you run Jenkins and receive an alert from us, make sure to read Jenkins advisory,” Shadowserver posted on X.
The high-rated CVE-2024-23898 enables cross-site WebSocket hijacking in the command line interface.
The Australian Cyber Security Centre is “also tracking CVE-2024-23899, CVE-2024-23900, CVE-2024-23901, CVE-2024-23901, 2024-23902, 2024-23903, CVE-2023-6148, CVE-2023-6147, CVE-2024-23905 and CVE-2024-23904 affecting Jenkins products.”