Researchers have discovered around 45,000 instances of Jenkins servers that are exposed online, making them susceptible to the critical remote code execution (RCE) flaw, CVE-2023-23897. Jenkins is a prominent open-source automation server that developers use to streamline processes such as building, testing, and deploying. It supports a wide range of plugins and caters to organizations of all sizes and types.
On January 24, 2024, Jenkins released versions 2.442 and LTS 2.426.3 to address CVE-2023-23897, a vulnerability that allows arbitrary file reading and can lead to the execution of arbitrary command-line interface (CLI) commands. The flaw stems from a CLI feature that replaces an @ character followed by a file path with the file's content. This feature, which is enabled by default, can be exploited by attackers to read arbitrary files on the Jenkins controller's file system. Depending on their permissions, attackers could potentially access sensitive information, including the first few lines or even entire files.
As per the security bulletin released by the software vendor, unpatched instances of Jenkins are exposed to potential attacks, including RCE, by manipulating Resource Root URLs, 'Remember me' cookies, or CSRF protection bypass. Depending on the configuration of the instance, attackers could decrypt stored secrets, delete items from Jenkins servers, and download Java heap dumps.
Security researchers have warned of multiple working exploits for CVE-2023-23897, significantly increasing the risk for unpatched Jenkins servers and the likelihood of exploitation in the wild. Researchers monitoring Jenkins honeypots have observed activities that appear to be genuine attempts at exploitation, but there is no conclusive evidence yet.
Threat monitoring service Shadowserver reported that its scanners have detected approximately 45,000 unpatched Jenkins instances, suggesting a vast attack surface. The majority of these vulnerable instances exposed on the internet are located in China (12,000) and the United States (11,830), followed by Germany (3,060), India (2,681), France (1,431), and the UK (1,029).
Shadowserver's statistics serve as a stark warning to Jenkins administrators. It is highly probable that hackers are already scanning for potential targets, and successful exploitation of CVE-2023-23897 could have severe consequences. Users who are unable to immediately apply the available security updates should refer to the Jenkins security bulletin for mitigation recommendations and potential workarounds.