Context
Jenkins is an open-source CI/CD solution that is extensible with a wide range of plugins that can be installed using the Jenkins plugin distribution repository or via manual installation.
This extensibility is a powerful feature of Jenkins, but it is a critical aspect that has to be secured to avoid risks and vulnerabilities that can impact the Jenkins system.
The internship took place while working in direct contact with the Jenkins Security Team, having daily meetings to discuss topics, possible blockers, and share ideas.
Internship Goals
The main goals of the internship were:
Understanding how some of the common vulnerabilities can be recognized in the Jenkins ecosystem by paying attention to common patterns related to best practices in terms of configuration and data flow control.
Auditing the plugins in a structural and ordered way, with comprehensive vulnerability scoring and classification using the MITRE standard, permitting them to be reviewed easily by the team.
Reporting findings to the team and plugin maintainers using the Jira issue tracker, having live sessions to help the latter ones have a full comprehension of the vulnerability reported.
Organizational Model
Good communication is a necessary basis for a good organizational model.
Regarding that, a Slack channel was opened where I could ask questions, open discussions, and share ideas.
In addition to that, there were scheduled weekly sessions with my manager, Wadeck Follonier, who leads the Jenkins Security Team, and with my co-pilot, Kevin Guerroudj.
During these sessions, I could open discussion for doubts, receive knowledge, and propose activities that I could do during the internship, as well as a daily session with the team.
To be more productive and get quick feedback from the team, a spreadsheet was made available to me to note the plugins audited with related security audit documents, where I reported my findings and associated security tickets.
Furthermore, CloudBees got me in touch with other interns working in different departments using a Slack channel and also scheduled monthly meetings to discuss our progress on our projects and the value added to them.
The journey
At the beginning of this security journey, I had the opportunity to quickly learn about the common vulnerabilities that we could find inside a Plugin, thanks to a cyber gym that my manager created and distributed on a GitHub repository.
It is essentially a Jenkins plugin, called Emmenthal Plugin, that is written with some bad patterns that the Jenkins documentation suggests to avoid and that permits to obtain common vulnerabilities like Cross Site Scripting, XML External Entities, Server Side Request Forgery, Path Traversal, and so on.
From that moment on, I enjoyed the journey.
I started the audit with easier and less popular plugins, and each day I increased the difficulty level with more popular plugins until the end of the journey.
It was obvious to me that the plugins with larger installation counts were also more secure due to the accrued attention they already got prior to now.
During the journey, I improved my skills on auditing thanks to a structured internal document that the team uses for auditing, and that helped me to be more precise and to not forget anything that caught my attention during the analysis of the plugins.
Following each finding, there was a brainstorming phase where I tried to classify the vulnerability in terms of CWEs and assign a CVSS score to understand the real impact and risks.
Finally, the reporting to the maintainers was done using Jira and described in a structured format that permits them to easily and quickly understand the point impacted inside the code and the reproduction steps to have a procedure to replicate it.
Results
The value that I added to the project can be measured in terms of vulnerabilities reported and confirmed by the Jenkins Security Team and based on the type of plugin affected.
In terms of numbers, I reported 23 vulnerabilities, split into two categories using “10k installations” as a threshold:
19 vulnerabilities were found in less popular plugins.
4 vulnerabilities were found in more popular plugins.
At the moment, only 3 vulnerabilities are known to the public in the Jenkins Security Advisories:
Conclusions
I enjoyed this opportunity.
It helped me to be more confident in a practical manner on the security aspects and also permitted me to learn new ways to do audits.
I obtained good results in terms of the contributions of the Jenkins ecosystem, and it will have a positive impact on my professional career.
Message from the co-pilot
Andrea quickly stood out during his internship.
His ability to understand and adapt to our tasks was impressive.
He always asked the right questions and showed a real passion for learning.
It was great to work with someone so eager to grow in this field.
Message from the security officer
Andrea was able since the beginning and until the end, to ask very smart questions, showing his deep interest in the cybersecurity field.
He was able to demonstrate great analytical skills.
This kind of internship is continuously showing me that this kind of project is worth it for multiple reasons: for the intern themself, to learn new topics and get practical experience, but also for the community in terms of security improvement and also for the rest of the team, to have mentoring opportunities.