ACSC presses enterprises to patch Jenkins

By

After two vulnerabilities were found in the system.

The Australian Cyber Security Centre is warning Australian enterprises to immediately patch vulnerabilities in the Jenkins continuous integration/continuous deployment software that were first disclosed last week.

ACSC presses enterprises to patch Jenkins

According to the Jenkins advisory, two vulnerabilities were found in the system: the critical-rated CVE-2024-23897, and the high-rated CVE-2024-23897.

CVE-2024-23897 arises through Jenkins’ use of the args4j library to parse command arguments and options in the command line interface (CLI).

“This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it," the advisory stated.

“This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.”

The Jenkins team identified a large number of remote code execution (RCE) vectors this enables, including via resource root URLs, via the “remember me” cookie, using XSS, or bypassing CSRF protection.

From there, attack impacts included decrypting secrets, deleting any item, and downloading Java heap dumps of the Jenkins controller process, or any agent process.

Proof-of-concept code has been published at two GitHub repositories.

The ACSC’s warning probably arises from the large number of vulnerable systems identified by the Shadowserver Foundation.

“Around 45,000 exposed Jenkins instances vulnerable to CVE-2024-23897 (Arbitrary file read vulnerability through the CLI can lead to RCE). If you run Jenkins and receive an alert from us, make sure to read Jenkins advisory," Shadowserver posted on X.

The high-rated CVE-2024-23898 enables cross-site WebSocket hijacking in the command line interface.

The Australian Cyber Security Centre is “also tracking CVE-2024-23899, CVE-2024-23900, CVE-2024-23901, CVE-2024-23901, 2024-23902, 2024-23903, CVE-2023-6148, CVE-2023-6147, CVE-2024-23905 and CVE-2024-23904 affecting Jenkins products.”

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
acscasdjenkinssecuritysoftware

Sponsored Whitepapers

Redefining Vulnerability Management
Redefining Vulnerability Management
How JLL gained visibility into nearly 100K endpoints with Tanium
How JLL gained visibility into nearly 100K endpoints with Tanium
Why a holistic approach to managing risk is key to solving complex IT problems
Why a holistic approach to managing risk is key to solving complex IT problems
High Availability: The Foundation of Digital Transformation
High Availability: The Foundation of Digital Transformation
Nine Ways To Prepare Your Database for a High-Traffic Event
Nine Ways To Prepare Your Database for a High-Traffic Event

Most Read Articles

BoM's seven-year technology transformation cost $866m

BoM's seven-year technology transformation cost $866m
Medibank allegedly missed EDR alerts before data breach

Medibank allegedly missed EDR alerts before data breach
ANZ joins NAB and CBA on ConnectID

ANZ joins NAB and CBA on ConnectID
James Cook University accelerates digital roadmap and cyber uplift

James Cook University accelerates digital roadmap and cyber uplift

Digital Nation

How eBay uses interaction analytics to improve CX
How eBay uses interaction analytics to improve CX
State of Security 2023
State of Security 2023
COVER STORY: What AI regulation might look like in Australia
COVER STORY: What AI regulation might look like in Australia
Health tech startup Kismet raises $4m in pre-seed funding
Health tech startup Kismet raises $4m in pre-seed funding
More than half of loyalty members concerned about their data
More than half of loyalty members concerned about their data

Log In

  |  Forgot your password?