Jenkins 0 days & Your Supply Chain Security

PureID

Ajit Hatti

July 6, 2022

The Security team of Jenkins announced 34 zero-day vulnerabilities in 24 of its plugins, which has rocked the world. The vulnerabilities range from XSS, stored-XSS, to passwords and token disclosures. The list of vulnerable plugins and overview of their impact can be found in this Bleeping Security article.

Jenkins 0 Days and its Impact

The various Jenikns’ plugins have varying impacts. Based on what plugin your organisation is using, it may see varying degrees of risk to its Jenkins setup and can result into compromise of its supply chain. 

Here we are listing few common vulnerabilities and their impacts

VulnerabilityMaximum ImpactAffected Plugins
Stored XSSCredential theft, account takeoverPlot Plugin, build-metrics Plugin, Rich Text Publisher Plugin, Matrix Reloaded Plugin, eXtreme Feedback Panel Plugin, Validating Email Parameter Plugin, Deployment Dashboard Plugin, 
XSS (Cross Site Scripting)Credential theft, account takeoverGitLab Plugin, TestNG Results Plugin, Project Inheritance Plugin, Recipe Plugin
CSRF (Cross Site Request Forgery)Credential reste, token theft, account takeoverXebiaLabs XL Release Plugin, Matrix Reloaded Plugin, Recipe Plugin, XPath Configuration Viewer Plugin, Rename Or Delete Plugin, Failed Job Deactivator Plugin
Missing Permission ChecksCredential theft, Unauthorised actionsXebiaLabs XL Release Plugin, requests-plugin, build-metrics Plugin, Recipe Plugin, Deployment Dashboard Plugin, RQM Plugin, Rename Or Delete Plugin, Failed Job Deactivator Plugin
Passwords stored in Plain TextMass Credential theftDeployment Dashboard Plugin, Skype notifier Plugin, Jigomerge Plugin, Elasticsearch Query Plugin, Cisco Spark Plugin, RQM Plugin, hpe-network-virtualization Plugin
Tokens, API Kyes or secrets Stored in Plain TextSession Takeove / rAccount TakeoverBuild Notifications Plugin, RocketChat Notifier Plugin, OpsGenie Plugin

Remediation

Applying patches is the best and recommended way to fix vulnerabilities. In this incident, Jenkins is yet to provide fixes for many of the vulnerabilities and still remains a potentially risky, zero-day candidate. 

Shodan project lists more than 150,000 sites running vulnerable Jenkins.

In absence of patches, disabling the vulnerabile plugins is the best option from the security side, but disastrous if it affects the organisation's engineering processes.

In such cases we always recommend strong Passwordless authentication. Absence of credentials make most of the attacks irrelevant even in the presence of vulnerable plugins.

Better prepare for 0 Day attacks

You cannot stop 0-day attacks and cannot predict them coming. What helps is sticking to security basics and best practices. Other proactive things an organisation can do is to adopt Passwordless Authentication for its entire Software Engineering infrastructure.

Passwordless solutions like PureAUTH also contain the impact of session takeovers arising from token theft with the use of XSS, by enforcing convenient but regular logins.

Making your Software Engineering Infrastructure passwordless can contain the impact of 95% of such 0-day vulnerabilities without any security configuration change.

Share this article    

Connect with Us!

Subscribe to receive new blog post from PureID in your mail box