Table of Contents
March 15, 2023
|11m
How to Fix CorePlague Vulnerabilities in Jenkins Server And Update Center?
Cloud security firm Aqua has uncovered two critical security vulnerabilities in Jenkins, an open-source automation server that could potentially allow an attacker to execute arbitrary code on targeted systems and sometimes a complete compromise too. These flaws, known as CVE-2023-27898 and CVE-2023-27905, collectively referred to as CorePlague, affect the Jenkins server and Update Center and can impact all Jenkins versions prior to 2.319.2. Considering the critical nature of these vulnerabilities, we urge all users of Jenkin to fix CorePlague vulnerabilities in Jenkins Server And Update Center.
We created this post in which we covered the introduction of Jenkins, where the flaws stemmed from, how can an attacker can compromise the Jenkins Server and Update Center, versions vulnerable to these critical flaws, and finally, how to fix CorePlague vulnerabilities in Jenkins Server And Update Center. Let’s begin with the introduction of Jenkins.
A Short Introduction About Jenkins
Jenkins is an open-source automation server widely used for continuous integration and continuous delivery. It is written in Java and helps developers quickly build, test, and deploy applications. Jenkins can be installed on-premise or hosted in the cloud, making it a great choice for both small and large development teams. With its user-friendly interface, Jenkins allows users to easily set up configurations and automate the process of building, testing and deploying software. It also provides a host of other features, such as integration with version control systems, continuous delivery pipelines, and security settings. Jenkins is an essential tool for any DevOps team striving for efficient workflows and improved application performance.
To better understand CorePlague Vulnerabilities in Jenkins Server and Update Center, it is good to know some basic Jenkins components like Artifactory Binary Repository, Jenkins Update Center, and Jenkins Pluginsthat.
Artifactory Binary Repository: An artifact registry, also known as a binary repository manager, is used to store and manage software artifacts such as libraries, packages, and plugins. The Jenkins project has its own Artifactory binary repository, which distributes core, library, and plugin releases. This allows developers to easily access and share artifacts and ensures the consistency and integrity of the software being used.
Jenkins Update Center: The Jenkins Update Center is a key component of the Jenkins automation server that provides access to a wide range of plugins and updates for the Jenkins platform. It allows administrators to discover, download, install, and upload their plugins that extend the functionality of their Jenkins server. This is also known as Jenkins community update sites, where developers and users can contribute their own plugins and enhancements.
Jenkins Plugins: Plugins are software components that extend the functionality of the Jenkins Server, enabling users to enhance and customize their experience and the automation process. These plugins offer features such as source code management, build triggers, notification mechanisms, and integrations with external tools and systems. They can be installed, updated, and managed via the Jenkins Update Center. With over 1,500 plugins available, Jenkins offers a wide range of functionalities and integrations that can be tailored to specific development needs.
Now itCVE-2023-27898’s time to see the summary of the CorePlague Vulnerabilities.
Summary of CorePlague Vulnerabilities in Jenkins Server And Update Center
CorePlague vulnerabilities are composed of two critical vulnerabilities identified as CVE-2023-27898 and CVE-2023-27905. When these vulnerabilities are chained together, they allow an attacker to execute arbitrary code on targeted systems. Sometimes, these vulnerabilities allow a complete compromise of the Jenkins server, giving an attacker full control. Let’s see the summary of both vulnerabilities in the next section.
Summary of CVE-2023-27898:
Stored XSS in Jenkins Plugin System
CVE-2023-27898 is a high-severity Storred Cross-Site Scripting(XSS) vulnerability in Jenkins 2.270 through 2.393 and LTS 2.277.1 through 2.375.3, which could allow an attacker to execute arbitrary code on the affected system. Aqua published this vulnerability on March 8, 2023, marking its severity as High with a CVSS score of 8.8 out of 10 on the scale.
The vulnerability resides when the error message indicates plugin incompatibility with the current version of Jenkins, the plugin version is not properly escaped, allowing for a stored XSS vulnerability. Attackers can exploit this vulnerability by providing plugins to the configured update sites and having this message displayed on Jenkins instances.
This vulnerability is particularly concerning as it allows attackers to execute malicious code in the context of legitimate Jenkins users, potentially leading to data theft or system compromise. Jenkins administrators are advised to fix CorePlague vulnerabilities in Jenkins Server And Update Center.
| Associated CVE ID | CVE-2023-27898 |
| Description | A high-severity Storred Cross-Site Scripting(XSS) vulnerability in Jenkins server due to improper input sanitization. |
| Associated ZDI ID | – |
| CVSS Score | 8.8 High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Impact Score | – |
| Exploitability Score | – |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | None |
| User Interaction (UI) | Required |
| Scope | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| availability (a) | High |
Summary of CVE-2023-27905:
Stored XSS in Jenkins Update-Center2
CVE-2023-27905 is a stored Cross-Site Scripting (XSS) vulnerability in Jenkins update-center2 3.13 and 3.14, which could be exploited by attackers who can provide a plugin for hosting. Aqua published this vulnerability on March 8, 2023, marking its severity as Medium with a CVSS score of 6.1 out of 10 on the scale.
The vulnerability resides when the required Jenkins core version on the plugin downloads index pages, and the input is not sanitized, creating a stored XSS vulnerability. Attackers can exploit this vulnerability by providing a plugin for hosting.
This vulnerability also allows attackers to execute malicious code in the context of legitimate Jenkins users. Jenkins administrators are advised to fix CorePlague vulnerabilities in Jenkins Server And Update Center.
| Associated CVE ID | CVE-2023-27905 |
| Description | A medium-severity Storred Cross-Site Scripting(XSS) vulnerability in Jenkins Update Center2 due to improper input sanitization. |
| Associated ZDI ID | – |
| CVSS Score | 6.1 Medium |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| Impact Score | – |
| Exploitability Score | – |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | None |
| User Interaction (UI) | Required |
| Scope | Changed |
| Confidentiality (C) | Low |
| Integrity (I) | Low |
| availability (a) | None |
What Aqua Shared About CorePlague Vulnerabilities?
Aqua Team revealed in their study that Jenkins is vulnerable to stored cross-site scripting (XSS) attacks, which can lead to remote code execution (RCE). This vulnerability can be exploited by uploading a malicious core version plugin to the Jenkins Update Center, which can then trigger the XSS when the Available Plugin Manager is opened.
The vulnerabilities are triggered by a stored XSS exploit, where a malicious core version of a Jenkins plugin is uploaded to the Jenkins Update Center by attackers. When a victim opens the Available Plugin Manager on their Jenkins Server, the XSS is triggered, allowing attackers to run arbitrary code on the Jenkins Server using the Script Console API.
This vulnerability is particularly dangerous because it does not require any additional action from the victim, and the exploitation does not require the manipulated plugin to be installed. Attackers can easily compromise Jenkins servers that are not directly reachable because the public Jenkins Update Center could be injected by attackers.
For complete technical details, we recommend reading the blog published by Aqua.
Jenkins Server And Update Center Prone to CorePlague Vulnerabilities:
According to the advisory, Jenkins versions 2.270 through 2.393, as well as LTS versions 2.277.1 through 2.375.3, are affected by the CVE-2023-27898 vulnerability. And, The Jenkins update-center2 versions 3.13 and 3.14 are affected by the CVE-2023-27905 vulnerability.
How to Fix CorePlague Vulnerabilities in Jenkins Server And Update Center?
As of now, you learned about Jenkins, CorePlague Vulnerabilities in Jenkins Server And Update Center, and versions affected by these flaws. Now we will see how to fix CorePlague Vulnerabilities in Jenkins Server And Update Center in this final section.
Generally, to protect your Jenkins server from new vulnerabilities, it is important to ensure that you have installed the latest security patches released by the Jenkins team. The Jenkins team has acknowledged the vulnerabilities and released patches for the Jenkins server as well as for the Jenkins Update Centeron February 15.
Even with the patch, your Jenkins server might still be vulnerable, but it’s probably not exploitable. Therefore, you don’t need to update it right away. However, if you use self-hosted or customized Update Centers to obtain your plugins, your Jenkins server is at risk, and you should update it immediately to ensure its security.
How to Protect Your Jenkins Server And Update Center from CorePlague Vulnerabilities?
To protect your Jenkins server from these vulnerabilities, it is important to ensure that you have installed the latest security patches released by the Jenkins team. The Jenkins team has acknowledged the vulnerabilities and has released a patch for the Jenkins server as well as for the Jenkins Update Center.
How to Install or Upgrade Jenkins?
This step-by-step guide will show you how to install or upgrade Jenkins on your machine. We are going to show you how you can install Jenkins on Ubuntu in this demo. Jenkins is distributed in various formats, including WAR files, native packages, installers, and Docker images. You can visit the links below if you want to install or upgrade on any other platform.
1. Docker
2. Kubernetes
3. Linux
4. macOS
5. Windows
6. Other Systems
7. WAR file
8. Other Servlet Containers
9. Offline Installations
10. Initial Settings
Step 1. Check the Hardware and Software Requirements
Before you begin, it is essential to ensure that your machine meets the hardware and software requirements for Jenkins. You can find this information in the User Handbook. Take a moment to review this section before proceeding with the installation.
Minimum hardware requirements:
256 MB of RAM
1 GB of drive space (although 10 GB is a recommended minimum if running Jenkins as a Docker container)
Recommended hardware configuration for a small team:
4 GB+ of RAM
50 GB+ of drive space
Comprehensive hardware recommendations:
Hardware: see the Hardware Recommendations page
Software requirements:
Java: see the Java Requirements page
Web browser: see the Web Browser Compatibility page
For Windows operating system: Windows Support Policy
For Linux operating system: Linux Support Policy
For servlet containers: Servlet Container Support Policy
Step 2. Downloading and Installing Jenkins
A LTS (Long-Term Support) release is chosen every 12 weeks from the stream of regular releases as the stable release for that time period. It can be installed from the debian-stable.curl -fsSL https://pkg.jenkins.io/debian-stable/jenkins.io.key | sudo tee \ /usr/share/keyrings/jenkins-keyring.asc > /dev/nullecho deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \ https://pkg.jenkins.io/debian-stable binary/ | sudo tee \ /etc/apt/sources.list.d/jenkins.list > /dev/nullsudo apt-get updatesudo apt-get install jenkins
A new release is produced weekly to deliver bug fixes and features to users and plugin developers. It can be installed from the debian.curl -fsSL https://pkg.jenkins.io/debian/jenkins.io.key | sudo tee \ /usr/share/keyrings/jenkins-keyring.asc > /dev/nullecho deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \ https://pkg.jenkins.io/debian binary/ | sudo tee \ /etc/apt/sources.list.d/jenkins.list > /dev/nullsudo apt-get updatesudo apt-get install jenkins
Here are some measures you can take to ensure your Jenkins server is protected from CorePlague vulnerabilities:
Step 3. Update Jenkins Server and Jenkins Update Center:
Make sure that your Jenkins server is running the latest version of the software and that you have installed the latest security patch released by the Jenkins team. You should also ensure that you have updated the Jenkins Update Center to the latest version.
Step 4. Disable Unused Plugins:
You should disable any plugins that you are not using to reduce the attack surface of your Jenkins server. This will reduce the likelihood of attackers exploiting vulnerabilities in unused plugins.
Step 5. Install Security Plugins:
Consider installing security plugins such as the Jenkins Active Directory plugin or the Role-Based Access Control plugin to enhance the security of your Jenkins server.
Step 6. Monitor Jenkins Server:
Regularly monitor your Jenkins server for any unusual activity or suspicious behavior. You can use plugins such as the Jenkins Log Parser plugin to monitor the system log for any unusual activity.
We hope this post would help you know how to fix CorePlague vulnerabilities in Jenkins Server And Update Center. Please share this post and help secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
