Around 45k Jenkins servers still vulnerable to attacks due to critical flaw

Suswati Basu / Last Updated: Jan 31, 2024 / Developer / News / Security
Around 45k Jenkins servers still vulnerable to attacks due to critical flaw. Hacker in black hoodie on laptop with Jenkins butler logo image on screen and room of servers in the background.

Tens of thousands of Jenkins servers have been exposed to a high-severity bug after a patch update. This flaw enables malicious actors to execute harmful code remotely on affected systems. Around 45,000 Jenkins servers are said to be affected and open to critical remote code execution (RCE) attacks, called CVE-2024-23897.

In an advisory on the Jenkins website, it said that the severity of the situation has been marked as critical, as it “allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.”

The open source project recently issued two updates to rectify this security issue. They strongly advise users to implement these patches promptly to minimize potential risks. The automation server for the CI/CD system is used by developers as a testing stage to try different processes.

The Register reports that the majority of the affected servers are located in the US and China, with counts of 15,806 and 11,955 respectively. Following these are India with 3,572 servers, Germany with 3,487, the Republic of Korea with 2,204, France with 1,482, and the UK with 1,179 vulnerable servers.

Despite the vulnerability being discovered by Sonar’s Vulnerability Research Team on January 24th, it remains unfixed, leaving it susceptible to potential attacks.

How severe is the attack?

CVE-2024-23897 is ranked at a high severity score of 9.8, which is seen to be serious. This vulnerability exploits a feature in Jenkins’ inherent command line interface (CLI), which is activated by default in versions up to and including Jenkins 2.441.

According to BleedingComputer, there is potential for attackers to decrypt stored secrets, delete items from Jenkins servers, and download Java heap dumps. It also suggested that there had already been several possible “genuine attempts at exploitation.”

In 2023, Jenkins was considered one of the best developer tools of the year due to its extensibility and adaptability. However, cybersecurity firm Armis has reported that cyber attacks more than doubled in 2023. They warn that numerous businesses worldwide continue to underestimate the escalating threat to cybersecurity.

Featured image: Canva / The Jenkins Project

Suswati Basu

Freelance journalist

Suswati Basu is a multilingual, award-winning editor and the founder of the intersectional literature channel, How To Be Books. She was shortlisted for the Guardian Mary Stott Prize and longlisted for the Guardian International Development Journalism Award. With 18 years of experience in the media industry, Suswati has held significant roles such as head of audience and deputy editor for NationalWorld news, digital editor for Channel 4 News and ITV News. She has also contributed to the Guardian and received training at the BBC As an audience, trends, and SEO specialist, she has participated in panel events alongside Google. Her career also includes a seven-year tenure at the leading AI company Dataminr, where she led the Europe desk and launched the company's first employee resource group for disabilities. Before this, Suswati worked as a journalist in China for four years, investigating censorship and the Great Firewall, and acquired proficiency in several languages. In recent years, Suswati has been nominated for six awards, including the Independent Podcast Awards, International Women's Podcast Awards, and the Anthem Awards for her literary social affairs show. Her areas of speciality span a wide range, including technology, Diversity, Equity, and Inclusion (DEI), social politics, mental health, and nonfiction books.