About the Vulnerability
Introduction
CloudBees Jenkins (Hudson Labs) is a continuous integration tool based on Java developed by CloudBees, an American company. This product is mainly used for monitoring ongoing software version release/testing projects and some tasks that are executed on a schedule.
Summary
On August 27, 2024, Sangfor FarSight Labs received notification that a CloudBees Jenkins component contains information of Arbitrary File Read Vulnerability(CVE-2024-43044), classified as high in threat level.
Jenkins 2.470 and its earlier versions, as well as LTS 2.452.3 and its earlier versions, allows the proxy process to use the ‘ClassLoaderProxy#fetchJar’ method in the Remoting library to read arbitrary files from the Jenkins controller's file system.
Affected Versions
Jenkins ≤ 2.470
Jenkins LTS ≤ 2.452.3
Solutions
Remediation Solutions
Check the System Version
You can click “About Jenkins” on the bottom right corner to check the current version.
Official Solution
Affected users are strongly advised to update the version of Jenkins.
Download link: https://www.jenkins.io/download/
Sangfor Solutions
Risky Assets Detection
Support is provided for proactive detection of CloudBees Jenkins; and it is capable of batch identifying the affected asset conditions of this event in business scenarios. Related products are as follows:
[Sangfor CWPP] has released an asset detection scheme, with Fingerprint ID: 0000020.
[Sangfor Host Security] has also released an asset detection scheme, with Fingerprint ID: 0000020.
Vulnerability Proactive Detection
Support is provided for proactive detection of Jenkins Arbitrary File Read Vulnerability (CVE-2024-43044); and it is capable of quickly batch identifying whether there are vulnerability risks in business scenarios. Related products are as follows:
[Sangfor Host Security] is expected to release a detection scheme on September 1, 2024 with Rule ID: SF-2024-00653.
[Sangfor Cyber Guardian MDR] is expected to release a detection scheme on September 5, 2024 with Rule ID: SF-2024-00653.
[Sangfor Omni-Command] is expected to release a detection scheme on September 1, 2024 (requiring Host Security component capabilities), with Rule ID: SF-2024-00653.
Timeline
On August 27, 2024, Sangfor FarSight Labs received notification of the Jenkins Arbitrary File Read vulnerability.
On August 27, 2024, Sangfor FarSight Labs released a vulnerability alert.
References
https://nvd.nist.gov/vuln/detail/CVE-2024-43044 https://www.jenkins.io/security/advisory/2024-08-07/ https://github.com/jenkinsci/jenkins/commit/3f54c41b40db9e4ae7afa4209bc1ea91bb9175c0