Skip to content
This repository has been archived by the owner on Feb 20, 2024. It is now read-only.

jenkinsci-cert/SECURITY-3314-3315

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits

README.adoc

README.adoc

 
 

disable-cli.groovy

disable-cli.groovy

 
 

Repository files navigation

SECURITY-3314/SECURITY-3315 Mitigation

This repository documents mitigations preventing exploitation of SECURITY-3314 and SECURITY-3315 on affected instances.

Overview

Access to the CLI needs to be disabled. Both of the following steps must be taken:

Note

The remoting-based CLI has been removed from Jenkins five years ago. Related instructions are not included in this documentation. Administrators of Jenkins instances with remoting-based CLI are strongly advised to urgently upgrade to more recent releases.
Important

The instructions below are only intended as a short-term workaround, even if you do not use the CLI. Due to Jenkins’s extensibility, it is possible that other ways to navigate to the affected HTTP endpoint exist.

Instructions

Disable the CLI endpoint

If Jenkins is currently running, execute the provided script disable-cli.groovy in the Script Console. Doing so will remove the CLI HTTP endpoint until Jenkins is restarted. Create a Post-Initialization Groovy Hook Script with the contents of disable-cli.groovy to ensure the script is executed whenever Jenkins is (re)started.

Confirmation

To confirm the script worked, navigate to Manage Jenkins » Jenkins CLI.

Without the mitigation applied, general CLI documentation including an overview of available CLI commands is shown. With the mitigation applied, an HTTP 404 Not Found error is shown.

Disable the SSH Port

The SSH Server Plugin provides access to the Jenkins CLI via SSH. This is a plugin whose functionality used to be part of Jenkins core, so it may be installed even if you’ve never explicitly installed it.

Navigate to Manage Jenkins » Security and ensure that the SSHD Port setting in the SSH Server section is set to Disable.

Note
 Doing this is recommended even if you choose to disable or uninstall the plugin, as plugin management functionality may reinstall or re-enable the plugin to ensure plugin dependencies are satisfied.

Alternatively, you can add the following snippet to the end of the disable-cli.groovy script:

// Disable CLI access over SSH Server Plugin
if (j.getPlugin('sshd')) {
  hudson.ExtensionList.lookupSingleton(org.jenkinsci.main.modules.sshd.SSHD.class).setPort(-1)
}

Confirmation

No explicit configuration is necessary with the supported UI option to disable the SSH Port, but you can attempt to connect to the previously configured SSH CLI port. The expected outcome is a failure to establish a connection. Note that no unauthenticated use of the SSH CLI is possible, so not every error is an indication of it being successfully disabled. These are examples of an expected (safe) result (assuming port 2222 was previously configured):

$ ssh -p 2222 jenkins.example.org
ssh: connect to host jenkins.example.org port 2222: Connection refused
$ ssh -p 2222 jenkins.example.org
kex_exchange_identification: read: Connection reset by peer
Connection reset by … port 2222

About

Workaround for disabling the CLI to mitigate SECURITY-3314/CVE-2024-23897 and SECURITY-3315/CVE-2024-23898

www.jenkins.io/security/advisory/2024-01-24/

Resources

Readme
Activity
Custom properties

Stars

6 stars

Watchers

6 watching

Forks

1 fork
Report repository

Languages