Jenkins, an open-source automation server for continuous integration and delivery (CI/CD), has published 34 security advisories covering 25 plugins used to extend the software.
Eleven of the advisories are rated high severity, 14 are medium, and 9 are said to be low.
The vulnerabilities described include: cross-site scripting (XSS); passwords, API keys, secrets, and tokens stored in plaintext; cross-site request forgery (CSRF); and missing and incorrect permission checks.
The following plugins are affected:
Sean Gallagher, senior threat researcher at Sophos, told The Register that individually, the vulnerabilities should not be a huge concern.
As a whole, that’s a whole lot of attack surface
“But taken as a whole, that’s a whole lot of attack surface,” said Gallagher, adding that many organizations are not particularly diligent about securing their cloud Jenkins instances.
Jenkins, he said, is fairly common and can be taken as another example of an under-supported open-source platform.
“What is most concerning is how many of these are no-fix,” said Gallagher.
Indeed, for 21 out of the 25 cited plugins, no fixes are available.
The June 30 advisory follows a similar advisory from June 22, covering 28 plugins and Jenkins core software. For 14 of these plugins, no fix is available.
“These kinds of flaws are not uncommon – in past research at NCC Group, we’ve found vulnerabilities in over 100 Jenkins plugins,” said Jennifer Fernick, SVP and global head of research at NCC Group, a security consultancy, in an email to The Register.
“Concerningly, several of even the high-severity vulnerabilities in today’s advisory lack patches, leaving development teams using these plugins entirely vulnerable to attack.
“This is particularly concerning given the highly privileged nature of automation tools such as Jenkins, and the ways in which insecure CI/CD pipelines can enable supply chain attacks during the software development process.”
In a write-up earlier this year, NCC described ten attacks that compromised Jenkins and other CI/CD systems during security assessments for clients.
These attacks were made possible, NCC said, mostly by the same root causes, including default configurations, overly permissive permissions and roles, lack of security controls, and lack of system segmentation.
The security firm describes one attack involving a GitHub OAuth plugin that was deployed in Jenkins for authentication and authorization. Because the plugin granted READ permissions to all authenticated users and the “Use GitHub repository permissions” option was checked to allow anyone with a GitHub account access the Jenkins web login interface, an NCC researcher was able to register and use a personal hosted email account to gain access to the client’s projects.
“CI/CD pipelines are complex environments,” NCC’s post explained. “This complexity requires methodical & comprehensive reviews to secure the entire stack. Often a company may lack the time, specialist security knowledge, and people needed to secure their CI/CD pipeline(s).
“Fundamentally, a CI/CD pipeline is remote code execution, and must be configured properly.” ®