Update Jenkins Server Software for Critical Vulnerability
This Alert is intended for U-M IT staff who use Jenkins open source automation server for software development.
Summary
Jenkins open source automation server has released updates to address a critical vulnerability that could lead to remote code execution (RCE). The updates or workaround should be applied as soon as possible after appropriate testing.
Problem
Multiple proof-of-concept (PoC) exploits have been made publicly available for a critical Jenkins vulnerability that allows unauthenticated attackers to read arbitrary files. This vulnerability could be leveraged to escalate privileges to admin and eventually execute arbitrary code on the server.
Threats
According to Sonar, some researchers have reported attackers actively exploiting the flaws in attacks. We are aware of reports that multiple proof-of-concept (PoC) exploits have been made publicly available.
Affected Systems
- Jenkins 2.441 and earlier
- Jenkins LTS 2.426.2 and earlier
Action Items
Update to Jenkins 2.442 and LTS 2.426.3 as soon as possible after appropriate testing. Because of the severity of this vulnerability, the need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).
- If the update cannot be applied ASAP, disable access to the command line interface (CLI) to prevent exploitation.
- For instructions on the update or workaround, refer to Jenkins Security Advisory 2024-01-24.
Technical Details
According to Bleeping Computer, the flaw stems from the default behavior of the args4j command parser in Jenkins, which automatically expands file contents into command arguments when an argument starts with the "@" character, allowing unauthorized reading of arbitrary files on the Jenkins controller file system.
How We Protect U-M
ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
- Cybersecurity Advisory: Multiple Vulnerabilities in Jenkins Could Allow for Remote Code Execution (Multi-State Information Sharing and Analysis Center (MS-ISAC), 1/29/24)
- Exploits released for critical Jenkins RCE flaw, patch now (Bleeping Computer, 1/28/24)
- Critical Jenkins Vulnerability Leads to Remote Code Execution (SecurityWeek, 1/26/24)
- Excessive Expansion: Uncovering Critical Security Vulnerabilities in Jenkins (Sonar, 1/24/24)
- Jenkins Security Advisory 2024-01-24 (Jenkins)