CVE-2024-43044 is a critical vulnerability rated "Critical" affecting Jenkins, a widely used open source automated server software for building, testing, and deploying software projects. However, the existence of this vulnerability exposes a large number of Jenkins servers to potential security risks.
Vulnerability Profile
CVE-2024-43044 is a Remote Code Execution (RCE) vulnerability that primarily affects the following versions of Jenkins:
- Jenkins Weekly version below 2.470
- Jenkins LTS version below 2.452.3
The vulnerability allows an attacker with Agent/Connect privileges to read arbitrary files through a proxy connection in Jenkins, an action that can be further exploited to execute remote code.
Technical details of the vulnerability
This vulnerability exploits Jenkins' Remoting library, which is commonly used for communication between Jenkins controllers and agents.The Remoting library allows agents to load classes and resources from the controller, so Java objects sent from the controller (e.g., build steps, etc.) can be executed on the agent.
In the affected version of Jenkins, the Remoting library transfers the entire JAR file to the agent via the Channel#preloadJar API, but does not effectively restrict the path to the file that the agent requests to read. This means that an agent process or code running on the agent, or even an attacker with Agent/Connect privileges, can read any file in the Jenkins controller file system.
More seriously, an attacker can use this vulnerability to read sensitive files, such as /etc/passwd or Jenkins configuration files, to further gain access to sensitive information on the system or execute remote code.
Use of scenarios
The vulnerability is not limited to reading files, but can be further exploited by reading sensitive files on the Jenkins controller. For example, an attacker can read the $JENKINS_HOME/users/users.xml file to obtain Jenkins user information, or read a key file such as $JENKINS_HOME/secrets/master.key to generate a valid "remember me" cookie, which can be used to fake the administrator's identity to log in to Jenkins.
Impact of vulnerabilities
According to security research, approximately 80,000 Internet-exposed Jenkins servers are affected by this vulnerability in 93 countries and territories worldwide, with the largest number of affected servers in the United States.
Repair of vulnerabilities
Jenkins has officially released a fix patch for this vulnerability, and all users are advised to upgrade to the following version as soon as possible:
- Jenkins Weekly version 2.471 or higher
- Jenkins LTS version 2.452.4 or 2.462.1
The fix patch modifies the ClassLoaderProxy#fetchJar implementation so that it can only retrieve the contents of JAR files referenced by the core class loader or plug-in class loader, thus preventing unauthorized file reads.
reach a verdict
The implications of the CVE-2024-43044 vulnerability are wide-ranging and serious, especially for organizations that rely on Jenkins for continuous integration and continuous delivery. All Jenkins administrators are advised to take immediate action to update to a secure version and review and strengthen the security configuration of their Jenkins servers to prevent potential attacks.
For further details on the vulnerability and remediation recommendations, users can refer to the security advisory on the official Jenkins website.
