This alert has been written for the IT teams of organisations and government.
Background / What has happened?
ASD’s ACSC is tracking multiple vulnerabilities impacting Jenkins products which could result in Remote Code Execution and Cross-site WebSocket hijacking.
CVE-2024-23897 refers to a Critical vulnerability in the command line interface command parser allowing attackers to read arbitrary files on the Jenkins controller file system, resulting in possible Remote Code Execution.
CVE-2024-23898 refers to a High Severity vulnerability which enables cross-site WebSocket Hijacking in the command line interface, resulting in the potential for threat actors to execute CLI commands on the Jenkins controller.
ASD’s ACSC is also tracking CVE-2024-23899, CVE-2024-23900, CVE-2024-23901, CVE-2024-23901, 2024-23902, 2024-23903, CVE-2023-6148, CVE-2023-6147, CVE-2024-23905 and CVE-2024-23904 affecting Jenkins products.
A full list of affected versions can be found in Jenkins Customer Advisory.
ASD’s ACSC is aware of reporting of active exploitation of both vulnerabilities.
Mitigation / How do I stay secure?
Organisations should review their networks for use of vulnerable Jenkins Products and upgrade to Jenkins 2.442 or LTS 2.426.3.
Organisations running vulnerable versions should also assess their environments for any indications of compromise.
Consult the Jenkins Customer Advisory for further details.
Assistance / Where can I go for help?
ASD's ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371).