The Security team of Jenkins announced 34 zero-day vulnerabilities in 24 of its plugins, which has rocked the world. The vulnerabilities range from XSS, stored-XSS, to passwords and token disclosures. The list of vulnerable plugins and overview of their impact can be found in this Bleeping Security article.
Jenkins 0 Days and its Impact
The various Jenikns’ plugins have varying impacts. Based on what plugin your organisation is using, it may see varying degrees of risk to its Jenkins setup and can result into compromise of its supply chain.
Here we are listing few common vulnerabilities and their impacts
|Vulnerability||Maximum Impact||Affected Plugins|
|Stored XSS||Credential theft, account takeover||Plot Plugin, build-metrics Plugin, Rich Text Publisher Plugin, Matrix Reloaded Plugin, eXtreme Feedback Panel Plugin, Validating Email Parameter Plugin, Deployment Dashboard Plugin,|
|XSS (Cross Site Scripting)||Credential theft, account takeover||GitLab Plugin, TestNG Results Plugin, Project Inheritance Plugin, Recipe Plugin|
|CSRF (Cross Site Request Forgery)||Credential reste, token theft, account takeover||XebiaLabs XL Release Plugin, Matrix Reloaded Plugin, Recipe Plugin, XPath Configuration Viewer Plugin, Rename Or Delete Plugin, Failed Job Deactivator Plugin|
|Missing Permission Checks||Credential theft, Unauthorised actions||XebiaLabs XL Release Plugin, requests-plugin, build-metrics Plugin, Recipe Plugin, Deployment Dashboard Plugin, RQM Plugin, Rename Or Delete Plugin, Failed Job Deactivator Plugin|
|Passwords stored in Plain Text||Mass Credential theft||Deployment Dashboard Plugin, Skype notifier Plugin, Jigomerge Plugin, Elasticsearch Query Plugin, Cisco Spark Plugin, RQM Plugin, hpe-network-virtualization Plugin|
|Tokens, API Kyes or secrets Stored in Plain Text||Session Takeove / rAccount Takeover||Build Notifications Plugin, RocketChat Notifier Plugin, OpsGenie Plugin|
Applying patches is the best and recommended way to fix vulnerabilities. In this incident, Jenkins is yet to provide fixes for many of the vulnerabilities and still remains a potentially risky, zero-day candidate.
In absence of patches, disabling the vulnerabile plugins is the best option from the security side, but disastrous if it affects the organisation’s engineering processes.
In such cases we always recommend strong Passwordless authentication. Absence of credentials make most of the attacks irrelevant even in the presence of vulnerable plugins.
Better prepare for 0 Day attacks
You cannot stop 0-day attacks and cannot predict them coming. What helps is sticking to security basics and best practices. Other proactive things an organisation can do is to adopt Passwordless Authentication for its entire Software Engineering infrastructure.
Passwordless solutions like PureAUTH also contain the impact of session takeovers arising from token theft with the use of XSS, by enforcing convenient but regular logins.
Making your Software Engineering Infrastructure passwordless can contain the impact of 95% of such 0-day vulnerabilities without any security configuration change.