Jenkins is an open-source automation server that is widely used for continuous integration and continuous delivery (CI/CD) pipelines. However, as with any software application, there are potential security vulnerabilities that can arise over time. Recently, a security alert was issued warning of new security flaws in Jenkins that could allow code execution attacks.

The flaws, tracked as CVE-2023-27898 and CVE-2023-27905, impact the Jenkins server and Update Center, and have been collectively christened CorePlague by cloud security firm Aqua. All versions of Jenkins versions prior to 2.319.2 are vulnerable and exploitable.

Code execution attacks can allow attackers to execute arbitrary code on a target system, potentially compromising the security and integrity of that system. In the case of Jenkins, these vulnerabilities could allow an attacker to execute code within a Jenkins pipeline or job, potentially resulting in unauthorized access, data loss, or other security risks.

It is important for Jenkins administrators and users to take this security alert seriously and take immediate action to secure their Jenkins environments. Updating Jenkins, reviewing configuration settings, and monitoring for suspicious activity are all important steps to take in response to this type of security vulnerability.

Affected Software

Jenkins servers running versions 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive)  are vulnerable.

Detection

Detecting security flaws that could allow code execution attacks in Jenkins can be challenging, as these vulnerabilities may not always be immediately apparent or easily detectable. However, there are several methods that can be used to help detect potential security issues in Jenkins:

 

1. Security Scanning: Automated security scanning tools can be used to scan Jenkins servers and environments for known vulnerabilities and configuration issues.
2. Log Monitoring: Monitoring Jenkins logs for unusual activity or error messages can help detect potential security issues.
3. Event Monitoring: Monitoring Jenkins events, such as job executions and plugin installations, can help detect unusual or unexpected activity.
4. Access Monitoring: Monitoring access to Jenkins servers and environments can help detect unauthorized access attempts or suspicious activity.
5. Penetration Testing: Performing regular penetration testing on Jenkins environments can help identify security vulnerabilities that may be exploitable by attackers.
6. Keeping Software Up-to-Date: Keeping all software components, including Jenkins and any installed plugins or integrations, up-to-date with the latest security patches and updates can help reduce the risk of security vulnerabilities.

By using a combination of these methods, administrators and users can help detect potential security issues in Jenkins and take appropriate action to address them.

Demonstration

1. Jenkins processes the plugins that are downloaded from the Update Center, making it possible for a threat actor to upload a malicious plugin and start an XSS attack.
2. The XSS is activated as the user opens the “Available Plugin Manager” on their Jenkins server, enabling attackers to use the Script Console API to run arbitrary code on the Jenkins Server, according to Aqua.
3. The vulnerability can be used without installing the plugin or even going to the plugin’s URL because it also involves stored XSS, where the JavaScript code is injected into the server.
4. Unsettlingly, the weaknesses may also affect Jenkins servers that are self-hosted and may be used against users even in situations where the server is not publicly available through the internet since the public Jenkins Update Center could be “injected by attackers.”

Remediation

Here are some potential remediation steps to consider:

1. Update Jenkins and plugins: Check for any available updates to Jenkins and all installed plugins, and install them promptly. These updates may contain patches for security vulnerabilities, including those related to code execution attacks.
2. Review Jenkins configuration: Review your Jenkins configuration to ensure that you’re following security best practices. For example, check if you’re using secure passwords, if you’ve enabled two-factor authentication, and if you’ve properly restricted access to sensitive data.
3. Limit access: Limit the number of people who have access to your Jenkins environment, and ensure that only authorized individuals are able to execute code.
4. Monitor for suspicious activity: Monitor your Jenkins logs and system activity for any signs of suspicious activity, such as unusual login attempts or unexpected changes to your Jenkins configuration.
5. Consider using security tools: Consider using security tools, such as intrusion detection systems or vulnerability scanners, to help identify potential security risks in your Jenkins environment.
6. Implement additional security measures: In addition to the above steps, you may want to implement additional security measures, such as network segmentation or data encryption, to further secure your Jenkins environment.