Security News
On Thursday, the Jenkins security team announced 34 security vulnerabilities affecting 29 plugins for the Jenkins open source automation server, 29 of the bugs being zero-days still waiting to be patched. The zero-days' CVSS base scores range from low to high severity, and, according to Jenkins' stats, the impacted plugins have a total of more than 22,000 installs.
Jenkins, an open-source automation server for continuous integration and delivery, has published 34 security advisories covering 25 plugins used to extend the software. The June 30 advisory follows a similar advisory from June 22, covering 28 plugins and Jenkins core software.
A just-patched, critical remote code-execution vulnerability in the Atlassian Confluence server platform is suffering wide-scale exploitation, the Feds have warned - as evidenced by an attack on the popular Jenkins open-source automation engine. Atlassian Confluence is a collaboration platform where business teams can organize its work in one place: "Dynamic pages give your team a place to create, capture, and collaborate on any project or idea," according to the website.
Hackers exploiting the recently disclosed Atlassian Confluence remote code execution vulnerability breached an internal server from the Jenkins project. While the attack is concerning because Jenkins is a popular open-source server for automating parts of software development, there is no reason that the project releases, plugins, or code have been impacted.
The maintainers of Jenkins-a popular open-source automation server software-have disclosed a security breach after unidentified threat actors gained access to one of their servers by exploiting a recently disclosed vulnerability in Atlassian Confluence service to install a cryptocurrency miner. The "Successful attack," which is believed to have occurred last week, was mounted against its Confluence service that had been deprecated since October 2019, leading the team to take the server offline, rotate privileged credentials, and reset passwords for developer accounts.
The Jenkins team issued a reminder over the weekend that one should keep one's systems patched as it found itself with a compromised Confluence service. Although the affected instance of Confluence integrated with the company's identity system, the group said: "At this time we have no reason to believe that any Jenkins releases, plugins, or source code have been affected."
A cryptomining botnet spotted last year is now targeting and attempting to take control of Jenkins and ElasticSearch servers to mine for Monero cryptocurrency. Z0Miner is a cryptomining malware strain spotted in November by the Tencent Security Team, who saw it infecting thousands of servers by exploiting a Weblogic security vulnerability.
Jenkins-a popular open-source automation server software-published an advisory on Monday concerning a critical vulnerability in the Jetty web server that could result in memory corruption and cause confidential information to be disclosed. "Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat," read the advisory.
Jenkins-a popular open-source automation server software-published an advisory on Monday concerning a critical vulnerability in the Jetty web server that could result in memory corruption and cause confidential information to be disclosed. "Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat," read the advisory.
A vulnerability in 12,000+ internet-facing Jenkins servers can be abused to mount and amplify reflective DDoS attacks against internet hosts, Radware researchers have discovered. The vulnerability can also be triggered by a single, spoofed UDP packet to launch DoS attacks against those same vulnerable Jenkins servers, by forcing them into an infinite loop of replies that can't be stopped unless one of the servers is rebooted or has its Jenkins service restarted.