On June 30th 2022, the Jenkins security team disclosed 34 vulnerabilities affecting about 29 of over 1700 plugins that it supports. Jenkins is a high-performance open-source automation server used by enterprises worldwide for developing, testing, and deploying software, facilitating continuous integration and continuous delivery.
According to the Jenkins security team, the zero-days’ CVSS base score from low as well as to high severity impact with over 22000 installs of affected plugins. Eleven of the advisories are rated high severity, 14 are medium, and 9 are said to be low.
The June 30 advisory follows a similar advisory from June 22, covering 28 plugins and Jenkins core software. For 14 of these plugins, no fix is available.
Vulnerabilities include XXS, stored XXS, Cross-site scripting request forgery (CSRF), and information disclosure due to information stored in plain texts such as passwords, API keys, and tokens. Fortunately, most of the highly critical vulnerabilities need interaction with users to be exploited whereas many low-level severity vulnerabilities can be exploited remotely.
Many of the vulnerabilities are yet to be patched by the security team. Jenkins security team confirmed and updated patches for 4 plugins till now, 25 more plugins are to be patched yet.
Based on Shodan search data, there are currently more than 144,000 Jenkins servers online with the potential threat of being targeted in attacks if using any of the unpatched plugins.
While the Jenkins team has patched four of the plugins, i.e., GitLab(version 1.5.35), requests-plugin(version 2.2.17), TestNG Results(version 555.va0d5f66521e3), XebiaLabs XL Release(version 22.0.1), there's still a long list of vulnerable ones, which had no fix as of now, including:
- Build Notifications Plugin up to and including 1.5.0
- build-metrics Plugin up to and including 1.3
- Cisco Spark Plugin up to and including 1.1.1
- Deployment Dashboard Plugin up to and including 1.0.10
- Elasticsearch Query Plugin up to and including 1.2
- eXtreme Feedback Panel Plugin up to and including 2.0.1
- Failed Job Deactivator Plugin up to and including 1.2.1
- GitLab Plugin up to and including 1.5.34
- HPE Network Virtualization Plugin up to and including 1.0
- Jigomerge Plugin up to and including 0.9
- Matrix Reloaded Plugin up to and including 1.1.3
- OpsGenie Plugin up to and including 1.9
- Plot Plugin up to and including 2.1.10
- Project Inheritance Plugin up to and including 21.04.03
- Recipe Plugin up to and including 1.2
- Request Rename Or Delete Plugin up to and including 1.1.0
- requests-plugin Plugin up to and including 2.2.16
- Rich Text Publisher Plugin up to and including 1.4
- RocketChat Notifier Plugin up to and including 1.5.2
- RQM Plugin up to and including 2.8
- Skype notifier Plugin up to and including 1.1.0
- TestNG Results Plugin up to and including 554.va4a552116332
- Validating Email Parameter Plugin up to and including 1.10
- XebiaLabs XL Release Plugin up to and including 22.0.0
- XPath Configuration Viewer Plugin up to and including 1.1.1
As none of the critical severity vulnerabilities are remotely exploitable without interaction with the user to take over the serves, they could be targeted in attacks against enterprise networks.
This isn’t the first time it has occurred to Jenkins servers to be compromised and used to mine Monero cryptocurrency.
However, potential attackers would more likely exploit these zero-days in reconnaissance attacks allowing them to gain more insight into a targeted company's infrastructure.
Connect to me on LinkedIn.
0 Comments