Multiple vulnerabilities in Jenkins servers could be used for crypto mining

Reference:
Advisory #2018-30

Version:
1.0

Affected software:
Jenkins weekly up to and including 2.137 and Jenkins LTS up to and including 2.121.2

Type:
Deserialization

CVE/CVSS:
→ CVE-2018-1999001
→ CVE-2018-1999043

Sources

• https://www.cyberark.com/threat-research-blog/tripping-the-jenkins-main-security-circuit-breaker-an-inside-look-at-two-jenkins-security-vulnerabilities/
• https://jenkins.io/security/advisory/2018-07-30/

Risks

CVE-2018-1999001 could potentially allow attackers to register on a Jenkins server as an administrator. This could expose sensitive data such as source code or allow attackers to modify software that is deployed using Jenkins.

CVE-2018-1999043 can allow attackers to create temporary user names which would allow them to log into Jenkins servers for a short period of time.

Cyber criminals have exploited Jenkins servers in the past, earlier this year a group exploited CVE-2017-1000353 to install Monero mining malware on Jenkins servers around the globe.
 

Recommended Actions

CERT.be recommends users to always keep their systems up to date.

Updates can be found at : https://jenkins.io/download/