Jenkins security team announced 34 security vulnerabilities affecting 29 plugins for the Jenkins open source automation server.
With over 1,700 plugins available, Jenkins is an extremely popular platform used worldwide for building, testing, and deploying software. It is estimated that over tens of thousands of users have installed the impacted plugins, according to Jenkins’ stats.
The vulnerabilities described include:
- Cross-site scripting (XSS)
- Passwords, API keys, secrets, and tokens stored in plaintext
- Cross-site request forgery (CSRF)
- Missing and incorrect permission checks
Here’s how Cycode enters the picture:
1. Identify. Part of Cycode’s role as a leader of supply-chain security is securing build systems like Jenkins. Learn how Cycode implements Jenkins Security Best Practices.
2. Detect and Alert. Cycode detects and visualizes the occurrence of security violations and vulnerabilities in its Dashboards and Violations Page:
Cycode Research Team updates the “Threat Intelligence” Dashboard regularly with the latest industry threats and zero-day exploits, such as the Jenkins multiple-plugins case:
Furthermore, users may explore in-depth the detection results via the “Knowledge Graph”, utilizing Cycode’s out-of-the-box (OOTB) queries to trace vulnerabilities impact back to the software source, defining the moving parts in a complex supply-chain.
Find out if your Jenkins plugin is vulnerable by searching for specific vulnerabilities:
Alternatively, search for all existing vulnerabilities:
On top of that, users can define automatic push notifications regarding Jenkins plugins’ vulnerabilities to their preferred alerting systems, such as Jira or Slack.
3. Respond and Recover. Cycode provides developers not only with the ability to automate security functions such as alerting and ticketing, but also with actionable remediation guidelines that respond directly to triggered Jenkins vulnerabilities.
With these two factors combined, teams can improve mean-time-to-response and recover (MTTR) while adopting and maintaining best security practices throughout all application lifecycle stages.
In conclusion, with the rise of supply-chain attacks in the past years, such as the SolarWinds build system vulnerability attack, which exploited outdated versions of TeamCity with known CVEs, Jenkins has become an ideal target of choice for threat actors to reach the entire chain of software development, integration, and deployment. However, in spite of these challenges, Cycode’s comprehensive security approach, as seen above, makes it easy and fast for customers to manage and prevent these threats in complex CI/CD systems.
Originally published: July 5, 2022