Multiple vulnerabilities in Jenkins servers could be used for crypto mining
Reference:
Advisory #2018-30
Version:
1.0
Affected software:
Jenkins weekly up to and including 2.137 and Jenkins LTS up to and including 2.121.2
Type:
Deserialization
CVE/CVSS:
- CVE-2018-1999001
- CVE-2018-1999043
Date:
20/12/2018
Sources
- https://www.cyberark.com/threat-research-blog/tripping-the-jenkins-main-security-circuit-breaker-an-inside-look-at-two-jenkins-security-vulnerabilities/
- https://jenkins.io/security/advisory/2018-07-30/
Risks
CVE-2018-1999001 could potentially allow attackers to register on a Jenkins server as an administrator. This could expose sensitive data such as source code or allow attackers to modify software that is deployed using Jenkins.
CVE-2018-1999043 can allow attackers to create temporary user names which would allow them to log into Jenkins servers for a short period of time.
Cyber criminals have exploited Jenkins servers in the past, earlier this year a group exploited CVE-2017-1000353 to install Monero mining malware on Jenkins servers around the globe.
Recommended Actions
CERT.be recommends users to always keep their systems up to date.
Updates can be found at : https://jenkins.io/download/