Jenkins Critical Args4j Library Vulnerability RCE CVE-2024-23897 Patch Now
Not long after an RCE with GitLab, it looks like Jenkins is not spared:
The team managing Jenkins, an open-source tool for continuous integration/continuous delivery and deployment (CI/CD) automation, has recently fixed nine security vulnerabilities. Among these, a critical flaw stands out for its potential to enable remote code execution (RCE) if exploited successfully.
This particular vulnerability, identified as CVE-2024-23897, is characterized by an arbitrary file read issue occurring through Jenkins' built-in command line interface (CLI).
According to an advisory released by the Jenkins maintainers on Wednesday, the software utilizes the args4j library for parsing command arguments and options on the Jenkins controller when processing CLI commands. A notable feature of this command parser is its ability to replace an '@' character followed by a file path in an argument with the contents of the file (referred to as expandAtFiles). This functionality is active by default, and versions of Jenkins up to 2.441 and LTS 2.426.2 or earlier did not have this feature disabled.
Several proof of concept exploits have been released. It is the 11th hour to patch if you haven't already:
Several proof-of-concept (PoC) exploits have been released for a severe vulnerability in Jenkins, an open-source automation server essential in software development, particularly for Continuous Integration (CI) and Continuous Deployment (CD). These exploits, now public, enable unauthenticated attackers to read files from the server, and there are reports of active exploitation in the wild.
Jenkins automates critical aspects of software development, such as building, testing, and deploying applications. It supports a vast array of integration plugins and is utilized by organizations of various sizes, including large-scale enterprises.
Researchers at SonarSource identified two vulnerabilities in Jenkins that could allow attackers to access server data and execute arbitrary CLI commands under specific conditions.
The more severe of these vulnerabilities, designated as CVE-2024-23897, allows attackers with 'overall/read' permission to access data from any file on the Jenkins server. Even those without this permission could read the initial lines of files, contingent on the available CLI commands.
This vulnerability arises from the default behavior of Jenkins' args4j command parser, which automatically expands file contents into command arguments if an argument begins with the "@" symbol. This behavior inadvertently permits unauthorized access to files on the Jenkins controller file system.