Two significant vulnerabilities have been identified in Jenkins, the widely used open-source automation server. The most critical of these vulnerabilities, tracked as CVE-2024-43044, could lead to Remote Code Execution (RCE), posing a severe risk to affected systems. An additional medium-severity vulnerability, CVE-2024-43045, involves a missing permission check that could allow unauthorized access to sensitive user configurations.
CVE-2024-43044: Critical Arbitrary File Read Vulnerability
Description:
- This critical vulnerability enables attackers with Agent/Connect permission to read arbitrary files from the Jenkins controller file system. Such access can potentially expose sensitive data, facilitating further exploitation that could lead to remote code execution (RCE).
- The vulnerability is rooted in the Remoting library used by Jenkins for communication between the controller and agents. Specifically, the ClassLoaderProxy#fetchJar method within this library allows agent processes to read arbitrary files from the Jenkins controller.
Affected Versions:
- Jenkins weekly versions up to and including 2.470.
- Jenkins LTS versions up to and including 2.452.3.
Technical Details:
- Jenkins plugins leverage the Remoting library’s Channel#preloadJar API to send entire jar files to agents. Exploiting this mechanism, an attacker can use the ClassLoaderProxy#fetchJar method to read files from the controller’s file system in affected Jenkins versions.
- This issue was reported by Yangyue and Jiangchenwei from Nebulalab.
CVE-2024-43045: Medium Severity Missing Permission Check
Description:
- This vulnerability allows attackers with Overall/Read permission to access or modify other users’ “My Views” in Jenkins, bypassing the intended access controls.
- The issue arises from an HTTP endpoint in Jenkins that fails to conduct a permission check, leading to potential unauthorized access to user-specific configurations.
Affected Versions:
- Jenkins weekly versions up to and including 2.470.
- Jenkins LTS versions up to and including 2.452.3.
Technical Details:
- Attackers with Overall/Read permission can read other users’ “My Views”. Additionally, attackers with View/Configure and View/Delete permissions can alter these views.
- This vulnerability was reported by Daniel Beck from CloudBees, Inc.
Mitigation and Recommendations
Affected Versions:
- Jenkins weekly versions up to and including 2.470.
- Jenkins LTS versions up to and including 2.452.3.
Patched Versions:
- Jenkins weekly should be updated to version 2.471.
- Jenkins LTS should be updated to versions 2.452.4 or 2.462.1.
Immediate Action Required:
- Update Jenkins installations to the latest patched versions to mitigate these vulnerabilities.
- Review and restrict Agent/Connect permissions as necessary to minimize potential exposure to RCE attacks.
- Regularly audit and review Jenkins user permissions, particularly those related to Overall/Read, View/Configure, and View/Delete roles, to ensure compliance with security best practices.
The discovery of these vulnerabilities in Jenkins underscores the importance of maintaining up-to-date software and implementing strict access controls. Immediate patching and diligent permission management are crucial to preventing potential exploitation, particularly with the critical risk of RCE associated with CVE-2024-43044.
