A vulnerability has been identified in the Jenkins automation software. The vulnerability could allow an attacker to perform Remote Code Execution (RCE) on a controller server. The vulnerability (CVE-2024-43044) has a Critical CVSSv3.1 score of 9.0 out of 10.
Description:
CVE-2024-43044 involves an exploitation of the remoting library that Jenkins uses to facilitate communication between controller and agent components, including through the sharing of Java objects between them. Due to an oversight, requests from potential agents could be formatted in a way that allows them to retrieve and read any arbitrary files from the Jenkins controller file system.
A recently released proof-of-concept exploit takes advantage of the vulnerability to forge an admin cookie which allows an attacker to log into the Jenkins server with full privileges; due to this, the vulnerability is currently being exploited in the wild. Obrela has identified tens of thousands of publicly accessible servers that are still running vulnerable versions worldwide.
Affected Versions:
Jenkins controller servers on versions up to and including 2.470 and LTS 2.452.3 are vulnerable to the exploit.
Recommendations:
- Ensure Jenkins controllers are updated to any of the following versions: 2.471, LTS 2.452.4, LTS 2.462.1, or later.
- If prompt updating is not possible, an official workaround for vulnerable versions has been made available at https://github.com/jenkinsci-cert/SECURITY-3430.
- Ensure automatic updates are enabled for future instances.
References:
https://www.jenkins.io/security/advisory/2024-08-07/#SECURITY-3430
https://github.com/jenkinsci-cert/SECURITY-3430
https://blog.convisoappsec.com/en/analysis-of-cve-2024-43044/
https://github.com/convisolabs/CVE-2024-43044-jenkins
https://nvd.nist.gov/vuln/detail/CVE-2024-43044
