The Jenkinssecurity team has been made aware of a new attack vector for a remote code execution vulnerability in theJenkins CLI, according tothis advisory by Daniel Beck:
We have received a report of a possible unauthenticated remote code execution vulnerability in Jenkins (all versions).
We strongly advise anyone running a Jenkins instance on a public network disable the CLI for now.
As this uses the same attack vector as SECURITY-218, you can reuse the script and instructions published in this repository: https://github.com/jenkinsci-cert/SECURITY-218
We have since been able to confirm the vulnerability and strongly recommend that everyone follow the instructions in the linked repository.
As Daniel mentions in the security advisory, the advised mitigation strategy is to disable the CLI subsystem viathis Groovy script. If you are a Jenkins administrator, navigate to the Manage Jenkins page and click on the Script Console, which will allow you to run the Groovy script to immediately disable the CLI.
In order to persist this change across restarts of your Jenkins master, placethe
Groovy script
in $JENKINS_HOME/init.groovy.d/cli-shutdown.groovy
so that Jenkins executes
the script on each boot.
We are expecting to have a fix implemented, tested and included in an updated weekly and LTS release this upcoming Wednesday, November 16th.
For users who are operating Jenkins on public, or otherwise hostile, networks,
we suggest hosting Jenkins behind reverse proxies such as Apache or Nginx.
These can help provide an additional layer of security, when used appropriately,
to cordon off certain URLs such as /cli
.
Additionally, we strongly recommend that all Jenkins administrators subscribe to thejenkinsci-advisories@googlegroups.com mailing list to receive future advisories.
The Jenkins project has a responsible disclosure policy, which we strongly encourage anybody who believes they have discovered a potential vulnerability to follow. You can learn more about this policy and our processes on oursecurity page.