Jenkins features a Java-based Groovy script console allowing authorized users to run arbitrary scripts on the Jenkins master or slave servers. Such scripts include executing arbitrary OS shell commands, making this a remote code execution vulnerability.
Default installation gives all users access to the script console.
The script console was originally an interface for Jenkins developers and cannot be disabled at the host level. It can at best be restricted to users with the Overall:Administer/RunScripts permission.
- The attacker makes multiple HTTP POST requests to the Jenkins script console with user credentials and security tokens. The data of each request contains a script to run OS shell commands in stages.
- Through multiple stages, the attacker installs and runs either a reverse shell or backdoor, providing a foothold on the Jenkins server. The attacker can attempt to escalate privileges and/or pivot further into the network.
The attacker must be able to access the Jenkins server and have authorization (Overall:Administer/RunScripts permission) to use the script console. If Jenkins is securely configured, the attacker would need the admin credentials.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Detection of this threat is provided via Alert Logic ActiveWatch for Web Security Manager service. Depending on your deployment of Web Security Manager, you will receive an incident (for out-of-band deployment) or the threat will be actively blocked and rejected (for the inline Web Security Manager Premier deployment) if an exploit attempt is observed.
Recommendations for Mitigation
Upgrade to a non-vulnerable version to mitigate this vulnerability.