Tens of thousands of Jenkins servers are vulnerable to a very serious bug that allows threat actors to remotely execute malicious code on the endpoints.
The project recently released two patches that address the vulnerability and urges users to apply them immediately and avoid unnecessary risks.
Jenkins is an open source automation server for CI/CD, which allows developers to build, test and deploy various processes.
No evidence of abuse (yet).
Last week, the project released versions 2.442 and LTS 2.426.3, which address an arbitrary file reading vulnerability tracked as CVE-2024-23897. This vulnerability, BleepingComputer reports, already has multiple proof-of-concept (PoC) exploits in the wild. According to the advisory issued with the patches, the problem is in the command line interface, which automatically replaces the @ sign followed by a file path with the contents of the file. This feature is enabled by default and has been added.
Hackers can abuse it for a number of things, from gaining access to sensitive information such as secrets, to running malicious code on vulnerable endpoints. They could also delete files from Jenkins servers and download Java heap dumps.
According to a Shadowserver scan, there are approximately 45,000 unpatched Jenkins servers that could be potential targets. The majority of these endpoints are in China (12,000), followed by the United States (11,830), Germany (3,060), India (2,681), France (1,431) and the United Kingdom (1,029). Researchers say there are already several PoCs circulating on the internet, but it is unclear whether threat actors have picked them up or attempted to use them in any of their campaigns.
BleepingComputer says some of Jenkins’ honeypots observed activity “that resembled real exploitation attempts,” although the evidence appears inconclusive.
Given the severity of the flaw, IT administrators are advised to apply the patch as soon as possible. Those unable to do so should contact the Jenkins Project for recommendations and solutions.