At the beginning of this year, the Jenkins open-source CI/CD software project released a patch for a security vulnerability. Now, reports are surfacing, including code samples for potential attacks. This means that users of Jenkins, especially those who expose their servers to the internet, should expedite the patching process.
The vulnerability stems from the use of the args4j library, which allows the referencing of other files using the “@” symbol. In this particular case, the Jenkins project was not aware of this feature and did not disable it, making it possible for malicious individuals to submit code that can be executed on machines through various means, such as Remote Root URLs or Cookies.
To mitigate this vulnerability, users should update to either Jenkins 2.442 or 2.426.3 LTS. Alternatively, if the update is not currently feasible, reducing the risk can be achieved by disabling the CLI and SSH features.
TLDR: Jenkins recently patched a security vulnerability, but code samples for potential attacks have been discovered. Users should quickly update to Jenkins 2.442 or 2.426.3 LTS, or minimize risk by disabling CLI and SSH features. Source: Bleeping Computer, Jenkins.
Leave a Comment