About the Vulnerability

Introduction

CloudBees Jenkins (Hudson Labs) is a continuous integration tool based on Java developed by CloudBees, an American company. This product is mainly used for monitoring ongoing software version release/testing projects and some tasks that are executed on a schedule.

Summary

On August 27, 2024, Sangfor FarSight Labs received notification that a CloudBees Jenkins component contains information of Arbitrary File Read Vulnerability(CVE-2024-43044), classified as high in threat level.

Jenkins 2.470 and its earlier versions, as well as LTS 2.452.3 and its earlier versions, allows the proxy process to use the ‘ClassLoaderProxy#fetchJar’ method in the Remoting library to read arbitrary files from the Jenkins controller's file system.

Affected Versions

Jenkins ≤ 2.470

Jenkins LTS ≤ 2.452.3

Solutions

Remediation Solutions

Check the System Version

You can click “About Jenkins” on the bottom right corner to check the current version.

CVE-2024-43044-1

Official Solution

Affected users are strongly advised to update the version of Jenkins.

Download link: https://www.jenkins.io/download/

Sangfor Solutions

Risky Assets Detection

Support is provided for proactive detection of CloudBees Jenkins; and it is capable of batch identifying the affected asset conditions of this event in business scenarios. Related products are as follows:

[Sangfor CWPP] has released an asset detection scheme, with Fingerprint ID: 0000020.

[Sangfor Host Security] has also released an asset detection scheme, with Fingerprint ID: 0000020.

Vulnerability Proactive Detection

Support is provided for proactive detection of Jenkins Arbitrary File Read Vulnerability (CVE-2024-43044); and it is capable of quickly batch identifying whether there are vulnerability risks in business scenarios. Related products are as follows:

[Sangfor Host Security] is expected to release a detection scheme on September 1, 2024 with Rule ID: SF-2024-00653.

[Sangfor Cyber Guardian MDR] is expected to release a detection scheme on September 5, 2024 with Rule ID: SF-2024-00653.

[Sangfor Omni-Command] is expected to release a detection scheme on September 1, 2024 (requiring Host Security component capabilities), with Rule ID: SF-2024-00653.

Timeline

On August 27, 2024, Sangfor FarSight Labs received notification of the Jenkins Arbitrary File Read vulnerability.

On August 27, 2024, Sangfor FarSight Labs released a vulnerability alert.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-43044 https://www.jenkins.io/security/advisory/2024-08-07/ https://github.com/jenkinsci/jenkins/commit/3f54c41b40db9e4ae7afa4209bc1ea91bb9175c0

Listen To This Post

Search

Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Articles

See Other Product