A remote code execution (RCE) vulnerability has been discovered in plugins for Jenkins open source automation server. This vulnerability has at least three CVEs of relevance that have been identified – CVE-2019-1003000, CVE-2019-1003001, and CVE-2019-1003002. Additional CVEs or plugins may surface in the coming days. Exploitation of this vulnerability allows RCE or installation of malicious payloads, such as malware and web shells.
We have seen attackers successfully exploiting this Jenkins Plugins vulnerability.
Customers who meet the following criteria may be impacted by this threat:
- Run vulnerable versions of the affected plugins within Jenkins installations that are publicly accessible to the internet
- Allow some mechanism of read access (public users would have minimal Overall/Read and Job/Configure permissions)
This vulnerability allows for remote attackers to inject code via “Meta-Programming” compilation, a feature designed to allow evaluation of code snippets, into one of three plugins for Jenkins (Declarative, Groovy, or Script Security). Using this behavior, attackers can cause victim hosts to fetch payloads and execute them.
The three CVEs that have been discovered thus far were announced on NVD on January 22, 2019. The CVEs deal with observing the same possibility of exploitation but outlined the different libraries to achieve it.
For more information about this vulnerability, check out our blog on the Jenkins Plugins Remote Code Execution.
Alert Logic Coverage
Network IDS: Alert Logic® released signatures to detect exploits of this threat on February 20, 2019. Alert Logic security analysts are actively working to evaluate instances of potential success.
In addition, Alert Logic is researching this threat to determine whether scan coverage and web application firewall coverage can be supported. At this time, it is not expected that log detection is appropriate for this threat; however, Alert Logic will continue this assessment.
Recommendations for Mitigation
Per an advisory released by Jenkins, patching is the primary mitigation for this threat. The following versions are listed as vulnerable in this advisory:
- Pipeline: Declarative Plugin up to and including 1.3.4
- Pipeline: Groovy Plugin up to and including 2.61
- Script Security Plugin up to and including 1.49
It is also recommended to remove Jenkins from public internet access.
This section will be updated with new information about this Jenkins RCE vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click the FOLLOW button at the top of this article. You must be signed in to the Support Center using your Alert Logic product credentials to follow this article.
02/22/2019: Vulnerability scan coverage is now available to identify vulnerable assets via SSH Authenticated scans against Linux hosts.
03/04/2019: Alert Logic is now actively seeing successful exploitation of the Jenkins Plugins RCE vulnerability. It is recommended to take immediate action to mitigate risks associated with this threat.