On January 24th, Jenkins, a widely used open source CI/CD automation tool, released a security advisory regarding a new critical vulnerability that could allow arbitrary file read, possibly leading to Remote Code Execution (RCE). The vulnerability was discovered by Sonar Security on November 13th, and was assigned CVE-2024-23897 with a CVSS score of 9.8.

The vulnerability is very easy to discover and exploit, and could result in significant consequences for organizations using Jenkins for their CI/CD pipelines. From our scans on the Orca Cloud Security Platform, we found that 43% of organizations operate at least one unmanaged Jenkins server in their environment. In this blog post, we’ll review what the vulnerability is, why it’s so dangerous, and how to remediate it.

Jenkins security advisory from the Orca Cloud Security Platform

What is Jenkins?

Jenkins is an open source automation server, used for continuous integration/continuous delivery (CI/CD) processes used by DevOps teams. It helps automate application build procedures, testing and deployment stages. The Jenkins server is widely used due to its easy installation and ability to handle repetitive tasks, which saves a lot of time for DevOps teams. 

About the Jenkins vulnerability

The vulnerability occurs when the Command Line Interface (CLI) component of Jenkins parses the ‘@’ character. Parsing the character with a file path after it, returns the entire file’s content for users with Overall/Read permission and the top three lines of files for users without any permissions at all. 

The CLI component in Jenkins is used for access from a shell environment. This component is  using the args4j library for parsing commands passed through the CLI and is the source of the vulnerability replacing ‘@’ followed by file path with the file content. This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.

How can hackers abuse the vulnerability?

This flaw in handling the ‘@’ character allows attackers to view sensitive files in the Jenkins instance such as etc/passwd, etc/shadow, keys files, source code and more.

In addition to that, this vulnerability allows remote code execution in several scenarios presented in Jenkins’ advisory. For example a stored XSS through build logs, a “Remember Me” cookie and CSRF protection bypass. Jenkins noted that this attack scenario list is not final, and it is likely that there are more scenarios that could lead to RCE by exploiting this vulnerability. 

The vulnerability has several POCs available online, and many organizations have already reported exploitation attempts towards publicly facing instances.

Reports of Jenkins CVE exploitation attempts

On January 30th, ShadowServer announced that they found over 45,000 exposed vulnerable instances worldwide, and shared the following heatmap, showing that the US, China and Germany are the most exposed countries.

Heatmap of Jenkins servers exposed to CVE-2024-23897

How to remediate the Jenkins vulnerability

Due to the critical nature of this vulnerability, it is highly recommended to update the Jenkins server as soon as possible to Jenkins 2.442, LTS 2.426.3. If upgrading is not possible immediately, the Jenkins team recommends disabling access to the CLI. This should prevent any exploitation of the vulnerability and not require a restart of the server.

How Orca Security can help

The Orca Platform continuously scans for vulnerabilities in your cloud environments, including AWS, Azure, Google, Kubernetes, and others. On the dashboard, a ‘From the News’ widget is included that highlights trending vulnerabilities and shows whether you have any assets that are exposed so you can immediately investigate and mitigate any critical issues.

Orca’s news widget includes trending CVEs so you instantly see if you are vulnerable

When Orca finds a vulnerability, it will immediately create an alert and assign a risk score to it.  The score is determined by considering the full contextual picture of the risk and the surrounding cloud environment, so teams can quickly understand the severity and urgency of each alert. In the example below, the Jenkins vulnerability is given a risk score of 9.1, which means it is considered critical.

The Orca Platform rated this alert as critical with a score of 9.1 out of 10

Orca makes it easy for teams to quickly remediate alerts by providing the option to use built-in generative AI to generate remediation code that can be copied and pasted into the CLI or Infrastructure as Code (IaC) provisioning tools, or steps that can be followed in the console.

In this example Orca has generated remediation instructions for AWS CloudFormation

About the Orca Cloud Security Platform

The Orca Cloud Security Platform identifies, prioritizes, and remediates risks and compliance issues across your cloud estate spanning AWS, Azure, Google Cloud, Kubernetes, and more. Leveraging its patented agentless SideScanning technology, Orca offers comprehensive cloud security coverage detecting vulnerabilities, misconfigurations, lateral movement, API risks, sensitive data at risk, anomalous events and behaviors, and overly permissive identities. Instead of layering multiple siloed tools together or deploying cumbersome agents, Orca delivers complete cloud security in a single platform.

Schedule a demo to see how Orca helps uplevel your cloud security.