www.belgium.be Logo of the federal government

WARNING: JENKINS PATCHED CRITICAL VULNERABILITIES DUBBED ‘COREPLAGUE’.

Reference: 
Advisory #2023-27
Version: 
1.0
Affected software: 
Jenkins open-source automation server
Type: 
Remote Code Execution (RCE)
CVE/CVSS: 

CVE-2023-27898 & CVE-2023-27905

Sources

https://www.jenkins.io/security/advisory/2023-03-08/

Risks

As a result of how Jenkins processes plugins available via the Update Center, a threat actor might possibly upload a plugin containing a malicious payload and launch a cross-site scripting (XSS) attack.

The vulnerabilities affect the Jenkins server and Update Center. All versions of Jenkins before 2.319.2 are exploitable and susceptible to exploitation. Cloud security firm Aqua has dubbed the set of vulnerabilities CorePlague.

Description

Two major security vulnerabilities, identified as CVE-2023-27898 and CVE-2023-27905, have been discovered in the Jenkins open-source automation server, which could lead to remote code execution on affected systems.

Exploiting these vulnerabilities might allow an unauthenticated attacker to execute arbitrary code on the victim's Jenkins server, potentially resulting in a complete compromise of the Jenkins server.

The Centre for Cyber security Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity. Organisations should investigate if they suspect an intrusion attempt.

If your organization has already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident.

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends system administrators to take the following actions:

Patches have been released by Jenkins for Update Center and server. Update vulnerable servers as soon as possible. Consult the security advisory of Jenkins for more information: https://www.jenkins.io/security/advisory/2023-03-08/

References

https://blog.aquasec.com/jenkins-server-vulnerabilities