Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-43044 PoC — Jenkins 安全漏洞

Source
https://github.com/jenkinsci-cert/SECURITY-3430
Associated Vulnerability
Title:Jenkins 安全漏洞 (CVE-2024-43044)
Description:Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the `ClassLoaderProxy#fetchJar` method in the Remoting library.
Description
This repository provides a workaround preventing exploitation of SECURITY-3430 / CVE-2024-43044
Readme
# SECURITY-3430 Workaround

This is a Java agent for use with Jenkins controllers that do not have the fix for [SECURITY-3430](https://www.jenkins.io/security/advisory/2024-08-07/#SECURITY-3430) (i.e., up to and including 2.470 and LTS 2.452.3).

It transforms the definition of the class containing the SECURITY-3430 vulnerability to prevent exploitation.
If that fails for some reason, Jenkins is forcibly stopped.

## Usage

### Use as Java agent (standard use case)

Protect the Jenkins controller process from exploitation:

```bash
java -javaagent:/path/to/security3430-workaround.jar -jar jenkins.war
```

### Standalone use

Apply the transformation to the specified `RemoteClassLoader$ClassLoaderProxy.class` class file and write the result to a different file:

```bash
java -jar /path/to/security3430-workaround.jar <source file> <target file>
```

This could be used to create minimally modified `remoting.jar` files.

## Configuration

Two Java system properties can be set to change the behavior of this Java agent:

* `io.jenkins.security.Security3430Workaround.DISABLE`:
  Set this to `true` to disable the class transformation.
* `io.jenkins.security.Security3430Workaround.SKIP_SHUTDOWN`:
  Set this to `true` to not stop the Jenkins process when class transformation fails.
  Only recommended in specific narrow situations, e.g., when closely monitoring log messages (see below).

Both need to set before the class is loaded and an attempt to transform is made, ideally as a `-D` command line option.

## Logging

Log messages use the `io.jenkins.security.Security3430Workaround` logger.
Messages logged on `SEVERE` indicate a failure to transform.

## Testing

Run the following code in the script console of a connected Jenkins agent to confirm the effectiveness of this workaround:

```groovy
def cl = Thread.currentThread().getContextClassLoader().proxy
cl.fetchJar(new URL('file:/path/to/jenkins/home/secrets/master.key'))
```

With neither fix nor workaround, this will print a message like the following, indicating successful exploitation: `Result: [B@23edd8a0`

With this workaround applied, this will throw an `AbstractMethodError` and print a long stack trace.

## License

Licensed under the terms of the MIT License. Copyright 2024 CloudBees, Inc.
File Snapshot

 [4.0K]  /data/pocs/6fce6ca65c82765c3eae9fca64364788b73beabf
├── [1.0K]  LICENSE.md
├── [2.1K]  pom.xml
├── [2.2K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            └── [4.0K]  io
                └── [4.0K]  jenkins
                    └── [4.0K]  security
                        └── [5.9K]  Security3430Workaround.java

6 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →