About the Vulnerability

Introduction

CloudBees Jenkins (Hudson Labs) is a continuous integration tool based on Java developed by CloudBees, an American company. This product is mainly used for monitoring ongoing software version release/testing projects and some tasks that are executed on a schedule.

Summary

On August 27, 2024, Sangfor FarSight Labs received notification that a CloudBees Jenkins component contains information of Arbitrary File Read Vulnerability(CVE-2024-43044), classified as high in threat level.

Jenkins 2.470 and its earlier versions, as well as LTS 2.452.3 and its earlier versions, allows the proxy process to use the ‘ClassLoaderProxy#fetchJar’ method in the Remoting library to read arbitrary files from the Jenkins controller's file system.

Affected Versions

Jenkins ≤ 2.470

Jenkins LTS ≤ 2.452.3

Solutions

Remediation Solutions

Check the System Version

You can click “About Jenkins” on the bottom right corner to check the current version.

CVE-2024-43044-1

Official Solution

Affected users are strongly advised to update the version of Jenkins.

Download link: https://www.jenkins.io/download/

Sangfor Solutions

Risky Assets Detection

Support is provided for proactive detection of CloudBees Jenkins; and it is capable of batch identifying the affected asset conditions of this event in business scenarios. Related products are as follows:

[Sangfor CWPP] has released an asset detection scheme, with Fingerprint ID: 0000020.

[Sangfor Host Security] has also released an asset detection scheme, with Fingerprint ID: 0000020.

Vulnerability Proactive Detection

Support is provided for proactive detection of Jenkins Arbitrary File Read Vulnerability (CVE-2024-43044); and it is capable of quickly batch identifying whether there are vulnerability risks in business scenarios. Related products are as follows:

[Sangfor Host Security] is expected to release a detection scheme on September 1, 2024 with Rule ID: SF-2024-00653.

[Sangfor Cyber Guardian MDR] is expected to release a detection scheme on September 5, 2024 with Rule ID: SF-2024-00653.

[Sangfor Omni-Command] is expected to release a detection scheme on September 1, 2024 (requiring Host Security component capabilities), with Rule ID: SF-2024-00653.

Timeline

On August 27, 2024, Sangfor FarSight Labs received notification of the Jenkins Arbitrary File Read vulnerability.

On August 27, 2024, Sangfor FarSight Labs released a vulnerability alert.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-43044 https://www.jenkins.io/security/advisory/2024-08-07/ https://github.com/jenkinsci/jenkins/commit/3f54c41b40db9e4ae7afa4209bc1ea91bb9175c0

Listen To This Post

Search

Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Name
Email Address
Business Phone Number
Tell us about your project requirements

Related Articles

See Other Product