Tech Stack
- Affected Technology: Jenkins Continuous Integration and Delivery Server
Date(s) Issued
- Publication Date: January 24, 2024
- Last Modified Date: August 19, 2024
Criticality
- CVSS Score: 9.8 (Critical)
- Impact: Allows unauthenticated attackers to read arbitrary files on the Jenkins controller file system, potentially leading to remote code execution.
- Attack Vector: Network
Overview
CVE-2024-23897 is a critical vulnerability in Jenkins that stems from the misuse of the args4j library in its Command Line Interface (CLI). The CLI command parser has a feature that replaces an ‘@’ character followed by a file path in an argument with the file’s contents. This feature is enabled by default in Jenkins versions 2.441 and earlier, as well as LTS 2.426.2 and earlier, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
Affected versions:
- Jenkins versions up to and including 2.441
- Jenkins LTS versions up to and including 2.426.2
Potential impact:
- Unauthorized access to sensitive files, including configuration files and credentials.
- Potential for remote code execution if attackers gain access to critical files.
Solution/Mitigation
- Upgrade Jenkins
- Upgrade to Jenkins version 2.442 or newer. For LTS users, upgrade to 2.426.3 or newer. These versions have disabled the vulnerable feature. Jenkins
- Download the latest version from the official Jenkins website.
- Disable CLI Access (Temporary Mitigation)
- If immediate upgrading is not feasible, disable CLI access to prevent exploitation.
- To disable CLI over Remoting:
- Navigate to Manage Jenkins > Configure Global Security.
- Uncheck Enable CLI over Remoting.
- Note: Disabling CLI is a temporary measure and may impact automation scripts relying on CLI commands.
- Restrict Network Access
- Use firewall rules or security groups to restrict access to the Jenkins controller, allowing only trusted IP addresses.
- Ensure that the Jenkins CLI port is not exposed to untrusted networks.
- Monitor and Audit
- Regularly review access logs for any unauthorized or suspicious activities, especially attempts to access the
/cliendpoint. - Implement intrusion detection systems to alert on potential exploitation attempts.
- Regularly review access logs for any unauthorized or suspicious activities, especially attempts to access the
- Apply Principle of Least Privilege
- Ensure that Jenkins runs with the minimum necessary permissions to limit the impact of potential exploitation.
- Review and adjust user roles and permissions within Jenkins to minimize exposure.
Confirmation & Additional Information
Verification:
After upgrading, verify the Jenkins version by navigating to Manage Jenkins > System Information or by running:cssCopy codejava -jar jenkins.war --version
Test critical functionalities to ensure they operate as expected post-upgrade.
Staying Updated:
Regularly check the Jenkins Security Advisories for updates.
Subscribe to Jenkins mailing lists or RSS feeds to receive timely notifications about security patches.
Additional Resources:
