Tens of thousands of Jenkins servers have been exposed to a high-severity bug after a patch update. This flaw enables malicious actors to execute harmful code remotely on affected systems. Around 45,000 Jenkins servers are said to be affected and open to critical remote code execution (RCE) attacks, called CVE-2024-23897.
Around 45K exposed Jenkins instances vulnerable to CVE-2024-23897 (Arbitrary file read vulnerability through the CLI can lead to RCE). If you run Jenkins & receive an alert from us make sure to read Jenkins advisory: https://t.co/aPPOHT1WXx
World map: https://t.co/GNVwKGM1R9 pic.twitter.com/Zb9Do5BOi8
— Shadowserver (@Shadowserver) January 29, 2024
In an advisory on the Jenkins website, it said that the severity of the situation has been marked as critical, as it “allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.”
The open source project recently issued two updates to rectify this security issue. They strongly advise users to implement these patches promptly to minimize potential risks. The automation server for the CI/CD system is used by developers as a testing stage to try different processes.
The Register reports that the majority of the affected servers are located in the US and China, with counts of 15,806 and 11,955 respectively. Following these are India with 3,572 servers, Germany with 3,487, the Republic of Korea with 2,204, France with 1,482, and the UK with 1,179 vulnerable servers.
Despite the vulnerability being discovered by Sonar’s Vulnerability Research Team on January 24th, it remains unfixed, leaving it susceptible to potential attacks.
How severe is the attack?
CVE-2024-23897 is ranked at a high severity score of 9.8, which is seen to be serious. This vulnerability exploits a feature in Jenkins’ inherent command line interface (CLI), which is activated by default in versions up to and including Jenkins 2.441.
This vulnerability in #Jenkins is serious CVE-2024-23897
POCs have been published https://t.co/nGtbf8fehdhttps://t.co/pzY0NSL5bA
report by @SonarSource https://t.co/VNAUg2PDN8 pic.twitter.com/vbiWGmj47M
— Florian Roth (@cyb3rops) January 26, 2024
According to BleedingComputer, there is potential for attackers to decrypt stored secrets, delete items from Jenkins servers, and download Java heap dumps. It also suggested that there had already been several possible “genuine attempts at exploitation.”
In 2023, Jenkins was considered one of the best developer tools of the year due to its extensibility and adaptability. However, cybersecurity firm Armis has reported that cyber attacks more than doubled in 2023. They warn that numerous businesses worldwide continue to underestimate the escalating threat to cybersecurity.
Featured image: Canva / The Jenkins Project