Cloud security firm Aqua has uncovered two critical security vulnerabilities in Jenkins, an open-source automation server that could potentially allow an attacker to execute arbitrary code on targeted systems and sometimes a complete compromise too. These flaws, known as CVE-2023-27898 and CVE-2023-27905, collectively referred to as CorePlague, affect the Jenkins server and Update Center and can impact all Jenkins versions prior to 2.319.2. Considering the critical nature of these vulnerabilities, we urge all users of Jenkin to fix CorePlague vulnerabilities in Jenkins Server And Update Center.
We created this post in which we covered the introduction of Jenkins, where the flaws stemmed from, how can an attacker can compromise the Jenkins Server and Update Center, versions vulnerable to these critical flaws, and finally, how to fix CorePlague vulnerabilities in Jenkins Server And Update Center. Let’s begin with the introduction of Jenkins.
Jenkins is an open-source automation server widely used for continuous integration and continuous delivery. It is written in Java and helps developers quickly build, test, and deploy applications. Jenkins can be installed on-premise or hosted in the cloud, making it a great choice for both small and large development teams. With its user-friendly interface, Jenkins allows users to easily set up configurations and automate the process of building, testing and deploying software. It also provides a host of other features, such as integration with version control systems, continuous delivery pipelines, and security settings. Jenkins is an essential tool for any DevOps team striving for efficient workflows and improved application performance.
To better understand CorePlague Vulnerabilities in Jenkins Server and Update Center, it is good to know some basic Jenkins components like Artifactory Binary Repository, Jenkins Update Center, and Jenkins Pluginsthat.
Artifactory Binary Repository: An artifact registry, also known as a binary repository manager, is used to store and manage software artifacts such as libraries, packages, and plugins. The Jenkins project has its own Artifactory binary repository, which distributes core, library, and plugin releases. This allows developers to easily access and share artifacts and ensures the consistency and integrity of the software being used.
Jenkins Update Center: The Jenkins Update Center is a key component of the Jenkins automation server that provides access to a wide range of plugins and updates for the Jenkins platform. It allows administrators to discover, download, install, and upload their plugins that extend the functionality of their Jenkins server. This is also known as Jenkins community update sites, where developers and users can contribute their own plugins and enhancements.
Jenkins Plugins: Plugins are software components that extend the functionality of the Jenkins Server, enabling users to enhance and customize their experience and the automation process. These plugins offer features such as source code management, build triggers, notification mechanisms, and integrations with external tools and systems. They can be installed, updated, and managed via the Jenkins Update Center. With over 1,500 plugins available, Jenkins offers a wide range of functionalities and integrations that can be tailored to specific development needs.
Now itCVE-2023-27898’s time to see the summary of the CorePlague Vulnerabilities.
CorePlague vulnerabilities are composed of two critical vulnerabilities identified as CVE-2023-27898 and CVE-2023-27905. When these vulnerabilities are chained together, they allow an attacker to execute arbitrary code on targeted systems. Sometimes, these vulnerabilities allow a complete compromise of the Jenkins server, giving an attacker full control. Let’s see the summary of both vulnerabilities in the next section.
Stored XSS in Jenkins Plugin System
CVE-2023-27898 is a high-severity Storred Cross-Site Scripting(XSS) vulnerability in Jenkins 2.270 through 2.393 and LTS 2.277.1 through 2.375.3, which could allow an attacker to execute arbitrary code on the affected system. Aqua published this vulnerability on March 8, 2023, marking its severity as High with a CVSS score of 8.8 out of 10 on the scale.
The vulnerability resides when the error message indicates plugin incompatibility with the current version of Jenkins, the plugin version is not properly escaped, allowing for a stored XSS vulnerability. Attackers can exploit this vulnerability by providing plugins to the configured update sites and having this message displayed on Jenkins instances.
This vulnerability is particularly concerning as it allows attackers to execute malicious code in the context of legitimate Jenkins users, potentially leading to data theft or system compromise. Jenkins administrators are advised to fix CorePlague vulnerabilities in Jenkins Server And Update Center.
Associated CVE ID | CVE-2023-27898 |
Description | A high-severity Storred Cross-Site Scripting(XSS) vulnerability in Jenkins server due to improper input sanitization. |
Associated ZDI ID | – |
CVSS Score | 8.8 High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Impact Score | – |
Exploitability Score | – |
Attack Vector (AV) | Network |
Attack Complexity (AC) | Low |
Privilege Required (PR) | None |
User Interaction (UI) | Required |
Scope | Unchanged |
Confidentiality (C) | High |
Integrity (I) | High |
availability (a) | High |
Stored XSS in Jenkins Update-Center2
CVE-2023-27905 is a stored Cross-Site Scripting (XSS) vulnerability in Jenkins update-center2 3.13 and 3.14, which could be exploited by attackers who can provide a plugin for hosting. Aqua published this vulnerability on March 8, 2023, marking its severity as Medium with a CVSS score of 6.1 out of 10 on the scale.
The vulnerability resides when the required Jenkins core version on the plugin downloads index pages, and the input is not sanitized, creating a stored XSS vulnerability. Attackers can exploit this vulnerability by providing a plugin for hosting.
This vulnerability also allows attackers to execute malicious code in the context of legitimate Jenkins users. Jenkins administrators are advised to fix CorePlague vulnerabilities in Jenkins Server And Update Center.
Associated CVE ID | CVE-2023-27905 |
Description | A medium-severity Storred Cross-Site Scripting(XSS) vulnerability in Jenkins Update Center2 due to improper input sanitization. |
Associated ZDI ID | – |
CVSS Score | 6.1 Medium |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Impact Score | – |
Exploitability Score | – |
Attack Vector (AV) | Network |
Attack Complexity (AC) | Low |
Privilege Required (PR) | None |
User Interaction (UI) | Required |
Scope | Changed |
Confidentiality (C) | Low |
Integrity (I) | Low |
availability (a) | None |
Aqua Team revealed in their study that Jenkins is vulnerable to stored cross-site scripting (XSS) attacks, which can lead to remote code execution (RCE). This vulnerability can be exploited by uploading a malicious core version plugin to the Jenkins Update Center, which can then trigger the XSS when the Available Plugin Manager is opened.
The vulnerabilities are triggered by a stored XSS exploit, where a malicious core version of a Jenkins plugin is uploaded to the Jenkins Update Center by attackers. When a victim opens the Available Plugin Manager on their Jenkins Server, the XSS is triggered, allowing attackers to run arbitrary code on the Jenkins Server using the Script Console API.
This vulnerability is particularly dangerous because it does not require any additional action from the victim, and the exploitation does not require the manipulated plugin to be installed. Attackers can easily compromise Jenkins servers that are not directly reachable because the public Jenkins Update Center could be injected by attackers.
For complete technical details, we recommend reading the blog published by Aqua.
According to the advisory, Jenkins versions 2.270 through 2.393, as well as LTS versions 2.277.1 through 2.375.3, are affected by the CVE-2023-27898 vulnerability. And, The Jenkins update-center2 versions 3.13 and 3.14 are affected by the CVE-2023-27905 vulnerability.
As of now, you learned about Jenkins, CorePlague Vulnerabilities in Jenkins Server And Update Center, and versions affected by these flaws. Now we will see how to fix CorePlague Vulnerabilities in Jenkins Server And Update Center in this final section.
Generally, to protect your Jenkins server from new vulnerabilities, it is important to ensure that you have installed the latest security patches released by the Jenkins team. The Jenkins team has acknowledged the vulnerabilities and released patches for the Jenkins server as well as for the Jenkins Update Centeron February 15.
Even with the patch, your Jenkins server might still be vulnerable, but it’s probably not exploitable. Therefore, you don’t need to update it right away. However, if you use self-hosted or customized Update Centers to obtain your plugins, your Jenkins server is at risk, and you should update it immediately to ensure its security.
To protect your Jenkins server from these vulnerabilities, it is important to ensure that you have installed the latest security patches released by the Jenkins team. The Jenkins team has acknowledged the vulnerabilities and has released a patch for the Jenkins server as well as for the Jenkins Update Center.
This step-by-step guide will show you how to install or upgrade Jenkins on your machine. We are going to show you how you can install Jenkins on Ubuntu in this demo. Jenkins is distributed in various formats, including WAR files, native packages, installers, and Docker images. You can visit the links below if you want to install or upgrade on any other platform.
1. Docker
2. Kubernetes
3. Linux
4. macOS
5. Windows
6. Other Systems
7. WAR file
8. Other Servlet Containers
9. Offline Installations
10. Initial Settings
Before you begin, it is essential to ensure that your machine meets the hardware and software requirements for Jenkins. You can find this information in the User Handbook. Take a moment to review this section before proceeding with the installation.
Minimum hardware requirements:
256 MB of RAM
1 GB of drive space (although 10 GB is a recommended minimum if running Jenkins as a Docker container)
Recommended hardware configuration for a small team:
4 GB+ of RAM
50 GB+ of drive space
Comprehensive hardware recommendations:
Hardware: see the Hardware Recommendations page
Software requirements:
Java: see the Java Requirements page
Web browser: see the Web Browser Compatibility page
For Windows operating system: Windows Support Policy
For Linux operating system: Linux Support Policy
For servlet containers: Servlet Container Support Policy
A LTS (Long-Term Support) release is chosen every 12 weeks from the stream of regular releases as the stable release for that time period. It can be installed from the debian-stable.curl -fsSL https://pkg.jenkins.io/debian-stable/jenkins.io.key | sudo tee \ /usr/share/keyrings/jenkins-keyring.asc > /dev/null
echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \ https://pkg.jenkins.io/debian-stable binary/ | sudo tee \ /etc/apt/sources.list.d/jenkins.list > /dev/null
sudo apt-get update
sudo apt-get install jenkins
A new release is produced weekly to deliver bug fixes and features to users and plugin developers. It can be installed from the debian.curl -fsSL https://pkg.jenkins.io/debian/jenkins.io.key | sudo tee \ /usr/share/keyrings/jenkins-keyring.asc > /dev/null
echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \ https://pkg.jenkins.io/debian binary/ | sudo tee \ /etc/apt/sources.list.d/jenkins.list > /dev/null
sudo apt-get update
sudo apt-get install jenkins
Here are some measures you can take to ensure your Jenkins server is protected from CorePlague vulnerabilities:
Make sure that your Jenkins server is running the latest version of the software and that you have installed the latest security patch released by the Jenkins team. You should also ensure that you have updated the Jenkins Update Center to the latest version.
You should disable any plugins that you are not using to reduce the attack surface of your Jenkins server. This will reduce the likelihood of attackers exploiting vulnerabilities in unused plugins.
Consider installing security plugins such as the Jenkins Active Directory plugin or the Role-Based Access Control plugin to enhance the security of your Jenkins server.
Regularly monitor your Jenkins server for any unusual activity or suspicious behavior. You can use plugins such as the Jenkins Log Parser plugin to monitor the system log for any unusual activity.
We hope this post would help you know how to fix CorePlague vulnerabilities in Jenkins Server And Update Center. Please share this post and help secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
You may also like these articles:
How to Fix CVE-2022-2884- A Remote Code Execution Vulnerability in GitLab
How To Fix CVE-2022-36804- A Command Injection Vulnerability in Bitbucket Server and Data Center
How To Fix CVE-2022-42948- A Critical RCE Vulnerability in Cobalt Strike
What is Command Injection Vulnerability? And How To Prevent It?
How to Patch Four New Vulnerabilities in VMWare Workstation and Fusion?
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.