Vulnerable CI/CD Pipelines

Jenkins Vulnerability: DevSecOps, CI/CD and Other Trendy Words

The recent vulnerability, CVE-2024-23897, has thrust Jenkins into the spotlight reigniting discussions about its role in the DevOps world. Jenkins still holds on to 44% of the market share and has more than 75,000 servers exposed to the internet. This prevalence in CI/CD pipelines means that vulnerabilities can disrupt workflows across countless projects and organizations. Furthermore, it prompts a reevaluation of dependency management and the security of third-party plugins, which are often the Achilles’ heel of otherwise secure systems.

 

However, the landscape is shifting.

Newer entrants like GitHub Actions, GitLab CI/CD, ADO and CircleCI are making waves, offering streamlined experiences that resonate with users seeking efficiency and simplicity. These platforms appeal to those who prefer spending less time on configuration and more on development., Or as some users put it: using Jenkins is already a full-time job so choose anything else. Groovy just isn’t groovy.

Despite the criticisms, Jenkins remains in use in many enterprise environments, often due to its established presence and the specific functionalities it offers through its extensive plugin ecosystem.

 

Speaking of Plugins


Sure, everyone is well aware of how much flexibility plugins provide and how essential they are for the ‘true Jenkins experience’. But what happens when you try to update Jenkins because of a security vulnerability? 

Initially, you might think it’s as simple as updating to the new version. However, you can quickly encounter issues with plugin compatibility. For instance, you might find that one plugin needs an update to work with the new Jenkins version, but another dependent plugin is stuck on an older version awaiting updates from its maintainer. This could force you into choosing an intermediate Jenkins version that doesn’t fully address the security concerns. Furthermore, discovering reliance on a deprecated plugin complicates matters further, especially if there are no immediate updates planned and no suitable alternatives that offer the same functionality.  

The consensus in the community is that it’s not really about the tool it’s more about the concept. Jenkins is just one way to get things done. All these CI/CD tools pretty much aim for the same goals. Choose what fits your setup, but for those starting fresh, focus on more modern tools—they’re easier to start with and more enjoyable to use.


I Promised You DevSecOps


Peer reviews remain as one of the most crucial tools for maintaining integrity in open-source projects like Jenkins. The diligence of groups such as Sonar’s Vulnerability Research Team  is vital for spotting potential security risks before they’re exploited. Yet at the same time, once these vulnerabilities are made public attackers quickly develop exploits to target unpatched systems. This creates a race against time for DevSecOps and Security teams to apply patches, review configurations, and ensure that their CI/CD pipelines are not exposed.

All this talk about vulnerabilities brings security concerns back to a higher level. It’s a compelling reason to revisit two applicable practices (use big and scary words when discussing the current news with your management):

Shift Left with Security: Emphasize integrating security early in the software development life cycle, rather than treating it as an afterthought. By shifting security “left” (earlier in the development process), your team can identify and mitigate vulnerabilities before they become embedded in the final product.

Automate Security Practices: Automating security reviews and testing as part of the CI/CD pipeline is crucial. This includes employing tools for static and dynamic application security testing (SAST/DAST), software composition analysis (SCA), and infrastructure vulnerability scanning. Automation helps in early detection of vulnerabilities, ensuring they are addressed promptly.

Oh, I almost forgot: patch your Jenkins to 2.442 and LTS 2.426.3.

Share with your network