关联漏洞
标题:Jenkins 安全漏洞 (CVE-2024-43044)Description:Jenkins是Jenkins开源的一个应用软件。一个开源自动化服务器Jenkins提供了数百个插件来支持构建,部署和自动化任何项目。 Jenkins 2.470及之前版本和Jenkins LTS 2.452.3及之前版本存在安全漏洞,该漏洞源于允许代理进程使用Remoting中的ClassLoaderProxy#fetchJar方法从Jenkins控制器文件系统读取任意文件。
Description
This repository provides a workaround preventing exploitation of SECURITY-3430 / CVE-2024-43044
介绍
# SECURITY-3430 Workaround
This is a Java agent for use with Jenkins controllers that do not have the fix for [SECURITY-3430](https://www.jenkins.io/security/advisory/2024-08-07/#SECURITY-3430) (i.e., up to and including 2.470 and LTS 2.452.3).
It transforms the definition of the class containing the SECURITY-3430 vulnerability to prevent exploitation.
If that fails for some reason, Jenkins is forcibly stopped.
## Usage
### Use as Java agent (standard use case)
Protect the Jenkins controller process from exploitation:
```bash
java -javaagent:/path/to/security3430-workaround.jar -jar jenkins.war
```
### Standalone use
Apply the transformation to the specified `RemoteClassLoader$ClassLoaderProxy.class` class file and write the result to a different file:
```bash
java -jar /path/to/security3430-workaround.jar <source file> <target file>
```
This could be used to create minimally modified `remoting.jar` files.
## Configuration
Two Java system properties can be set to change the behavior of this Java agent:
* `io.jenkins.security.Security3430Workaround.DISABLE`:
Set this to `true` to disable the class transformation.
* `io.jenkins.security.Security3430Workaround.SKIP_SHUTDOWN`:
Set this to `true` to not stop the Jenkins process when class transformation fails.
Only recommended in specific narrow situations, e.g., when closely monitoring log messages (see below).
Both need to set before the class is loaded and an attempt to transform is made, ideally as a `-D` command line option.
## Logging
Log messages use the `io.jenkins.security.Security3430Workaround` logger.
Messages logged on `SEVERE` indicate a failure to transform.
## Testing
Run the following code in the script console of a connected Jenkins agent to confirm the effectiveness of this workaround:
```groovy
def cl = Thread.currentThread().getContextClassLoader().proxy
cl.fetchJar(new URL('file:/path/to/jenkins/home/secrets/master.key'))
```
With neither fix nor workaround, this will print a message like the following, indicating successful exploitation: `Result: [B@23edd8a0`
With this workaround applied, this will throw an `AbstractMethodError` and print a long stack trace.
## License
Licensed under the terms of the MIT License. Copyright 2024 CloudBees, Inc.
文件快照
[4.0K] /data/pocs/6fce6ca65c82765c3eae9fca64364788b73beabf
├── [1.0K] LICENSE.md
├── [2.1K] pom.xml
├── [2.2K] README.md
└── [4.0K] src
└── [4.0K] main
└── [4.0K] java
└── [4.0K] io
└── [4.0K] jenkins
└── [4.0K] security
└── [5.9K] Security3430Workaround.java
6 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。