Addressing recently disclosed vulnerabilities in the Jenkins CLI
The Jenkins security team has been made aware of a new attack vector for a remote code execution vulnerability in the Jenkins CLI, according to this advisory by Daniel Beck:
We have received a report of a possible unauthenticated remote code execution vulnerability in Jenkins (all versions).
We strongly advise anyone running a Jenkins instance on a public network disable the CLI for now.
As this uses the same attack vector as SECURITY-218, you can reuse the script and instructions published in this repository: https://github.com/jenkinsci-cert/SECURITY-218
We have since been able to confirm the vulnerability and strongly recommend that everyone follow the instructions in the linked repository.
As Daniel mentions in the security advisory, the advised mitigation strategy is to disable the CLI subsystem via this Groovy script. If you are a Jenkins administrator, navigate to the 'Manage Jenkins' page and click on the 'Script Console', which will allow you to run the Groovy script to immediately disable the CLI.
In order to persist this change across restarts of your Jenkins master, place
the
Groovy script
in $JENKINS_HOME/init.groovy.d/cli-shutdown.groovy
so that Jenkins executes
the script on each boot.
We are expecting to have a fix implemented, tested and included in an updated weekly and LTS release this upcoming Wednesday, November 16th.
For users who are operating Jenkins on public, or otherwise hostile, networks,
we suggest hosting Jenkins behind reverse proxies such as Apache or Nginx.
These can help provide an additional layer of security, when used appropriately,
to cordon off certain URLs such as /cli
.
Additionally, we strongly recommend that all Jenkins administrators subscribe to the jenkinsci-advisories@googlegroups.com mailing list to receive future advisories.
The Jenkins project has a responsible disclosure policy, which we strongly encourage anybody who believes they have discovered a potential vulnerability to follow. You can learn more about this policy and our processes on our security page.