NOTE: This article is an INTERNAL article and is not visible to customers, currently. Please only link this article in internal comments, but not public comments.
Issue
- Attackers leverage the Jenkins Script Console to execute malicious Groovy scripts, leading to
cybercriminal activities such as the deployment of cryptocurrency miners. - Improperly setup authentication mechanisms expose the script endpoint to attackers. This can lead to remote code execution (RCE) and misuse by malicious actors.
- Attackers can exploit Jenkins vulnerabilities to run scripts that can download and execute a miner binary and maintain persistence using cron jobs and systemd-run utilities.
- Therefore how many of the below actions are configured in Jenkins CI/CD services?
- Use the Script Approval feature provided by Jenkins. Please find the link for the Script Approval feature https://plugins.jenkins.io/script-security/
- Apply proper authentication and authorization policies to access the web console. Apply the below-mentioned specific guidelines on Access Control which Jenkins offers. https://www.jenkins.io/doc/book/security/access-control/
- Use the Audit Logging feature provided by Jenkins. https://plugins.jenkins.io/audit-trail/
- Ensure that Jenkins servers are not accessible from the internet.
Environment
- Liferay Cloud- PaaS
Resolution
- Google Cloud Platform (GCP) network groups isolate the Jenkins server from other resources in the Virtual Private Cloud (VPC). This makes it harder for unauthorized access attempts originating from other projects or workloads within the same VPC to reach the Jenkins server.
- Google Kubernetes Engine (GKE) Ingress acts as a single entry point for traffic entering the Jenkins server. Rules are defined in Ingress to specify which source IPs, protocols, and ports are allowed to access the Jenkins server. This helps control inbound traffic and block unwanted connections.
- The users are given read-only access to their Jenkins.