CVE-2024-23897 is a critical vulnerability in Jenkins, a software automation tool. This vulnerability allows attackers to read arbitrary files in the file system of the Jenkins controller. The vulnerability arises because Jenkins does not disable a function in its CLI command parser that replaces a ‘@’ character followed by a file path in an argument with the file’s content, enabling unauthorized attackers to read arbitrary files in the file system of the Jenkins controller.
Currently, there is no available solution for this vulnerability. Users are advised to update to the latest version of Jenkins as soon as it becomes available.
How do I know if my version of Jenkins is vulnerable?
To check if your Jenkins version is vulnerable, you can utilize the Jenkins security analysis tool. This tool is capable of identifying common vulnerabilities in the core and plugins of Jenkins. To use this tool, follow these steps:
- In your GitHub repository, select the “Actions” link at the top.
- If you already have some workflows in your repository, click on “New workflow.”
- In the “For Jenkins” section, select “Jenkins Security Scan.”
- Configure the YAML workflow file in your repository. You can use it without modifications.
- We recommend committing to the default branch instead of adding this file through a pull request. This way, security analysis findings won’t be visible in a pull request check.
- Once saved, you should be able to view findings for branches in the “Security” tab under “Code scanning alerts.”
Alternatively, you can check if your Jenkins version is vulnerable using the following command in the Jenkins console:
groovy -e 'println org.apache.logging.log4j.core.lookup.JndiLookup.class.protectionDomain.codeSource'If the output is groovy.lang.MissingPropertyException: No such property: org for class: Script1, then your version of Jenkins is not vulnerable.
CVE-2024-23897 threats and impacts
Furthermore, the vulnerability could be exploited to read binary files containing cryptographic keys, albeit with certain restrictions. If binary secrets can be extracted, Jenkins states that it could open the door to various attacks:
Remote code execution through the root resource URL.
Remote code execution through the “Remember Me” cookie.
Deletion of any item in Jenkins.
Remote code execution through stored cross-site scripting (XSS) attacks via build logs.
Decryption of secrets stored in Jenkins.
Remote code execution through CSRF protection bypass.
Downloading a Java memory dump
For more details: Jenkins Security Advisory 2024-01-24
Protect yourself while waiting for the update for CVE-2024-23897
While awaiting the update, there are some measures you can take to protect against CVE-2024-23897 vulnerability in Jenkins. Here are some suggestions:
- Disable CLI Access: As a temporary measure, it is recommended to disable access to Jenkins Command Line Interface (CLI). This will prevent attackers from exploiting the vulnerability through the CLI.
- Restrict Jenkins Access: It is crucial to limit access to Jenkins to only trusted and authenticated users.
- Monitor the System: Keep an eye on your system for any suspicious activity. If you notice anything unusual, such as missing files or changes in files, your system may have been compromised.
- Stay Updated: Ensure you stay informed about the latest news regarding the vulnerability and Jenkins updates.
How to disable CLI
To disable access to the Jenkins CLI, follow these steps:
- Go to the Jenkins security configuration page.
- Select the “Configure Global Security” option.
- Scroll down to the “Overall Security” section.
- Choose the option “Deny Anonymous Access to CLI.”
- Click “Save” to apply and save the changes.
After implementing these changes, Jenkins CLI access will no longer be available for anonymous users.
