SECURITY VULNERABILITY NOTICE

CVE-2024-23897 and CVE-2024-23898

Update 2/8/2024

Alerted Vulnerabilities

On February 2, 2024, Jenkins released version 2.442 or later for the built-in Jenkins command line interface (CLI), which included a fix for CVE-2024-23897, a critical (CVSSv3 9.8) remote code execution (RCE) vulnerability affecting Jenkins 2.441 and earlier versions. Successful exploitation of CVE-2024-23897 can allow a remote, unauthenticated attacker to take full control of a vulnerable target system.

For CVE-2024-23898, a flaw was found in Jenkins where WebSocket access to the CLI does not perform origin validation of requests when they are made through the WebSocket endpoint. This High impact (CVSSv3 8.8) vulnerability affecting Jenkins 2.217 through 2.441 (both inclusive) and LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller.

SECURITY STATUS FOR WIND RIVER STUDIO DEVELOPER

Our current assessment of Wind River® Product Security Status is as follows:

Summary

Wind River Studio Developer uses Jenkins 2.4.52-Alpine and is impacted by the Jenkins vulnerability for the built-in CLI. Studio Developer is also impacted by the flaw in Jenkins where the WebSocket has access to the CLI. Wind River has conducted analysis and investigation on the two vulnerabilities and determined that CVE-2024-23897 is a Medium impact vulnerability to Studio Developer, according to the CVSS overall score including base, temporal, and environmental scoring; and prescribed remediations are already in place. CVE-2024-23898 is a Low impact vulnerability to Studio Developer, also according to the overall CVSS scoring, and the prescribed mitigations are already in place. Both vulnerabilities are targeted to be remediated fully with the latest Jenkins updates in the 24.03 release.

Details

CVE-2024-23898 may allow for threat actors to include an anonymous user and a Jenkins user's web browser with SameSite cookie attribute Lax not being the default. If an attacker is successful in a session hijacking attack, the attacker can execute CLI commands that the victim's permissions allow. However, Studio Developer has mitigations to ensure proper security measures are put in place to prevent a session hijacking attack by setting the HTTP-only flag on and/or only using HTTPS and SSL/TLS for connections. These security controls drop the impact of this vulnerability to a Low.

See CVE-2024-23898 in the CVSS 3.1 calculator.

With CVE-2024-23897, the WebSocket may allow access to the CLI. It does not perform origin validation of requests when they are made through the WebSocket endpoint. Due to the configuration of Jenkins for Studio Developer, the impact is minimal. The Jenkins-defined kill chains include that the "Resource Root URL" be enabled; Studio Developer sets this to not enabled by default. The attacker must also correctly guess, on average, 16 bytes of a 32-byte random binary secret, seen by Jenkins as “improbable.” Although it is not enabled as the standard default, customers must ensure the "Resource Root URL" is not enabled, as this is the main attack vector for this vulnerability. These factors drop this vulnerability to a Medium impact in Studio Developer.

See CVE-2024-23897 in the CVSS 3.1 calculator.

OTHER WIND RIVER PRODUCTS

The remaining Wind River products do not incorporate Jenkins as part of the product, and thus are not affected by these vulnerabilities.

Additional Resources

Please access these additional resources for these and all vulnerabilities:

Wind River customers with additional questions about these vulnerabilities should contact Wind River Customer Support or their local Wind River sales representative for more information. If you own a device that may be impacted by these vulnerabilities, please contact your device manufacturer.