Jenkins Team Avoids Security Disaster After Partial User Database Loss

June 10, 2020 TH Author headline,database,data loss,flaw

The developers of the Jenkins open source automation server said they’ve successfully recovered their backend infrastructure after a partial user database loss.

The incident took place last week, on June 2, and resulted in an outage to the Jenkins Artifactory portal — used by Jenkins plugin developers to upload and manage plugin artifacts.

The Jenkins team said an error to a Kubernetes system forced them to rebuild parts of the Artifactory portal from scratch.

During this rebuild process, the Jenkins team said they lost three months of changes to the LDAP database, including details about user accounts used by Jenkins plugin devs.

“Our corporate account (42Crunch) was one of the accounts that got deleted,” Dmitry Sotnikov, Chief Product Officer at 42Crunch, told ZDNet in an interview yesterday.

Sotnikov said they followed instructions provided by the Jenkins team and re-registered their old account.

“Once we did, we found that this new account automatically got access and permissions that the old, deleted account had – including full ownership of our Jenkins extension in the marketplace.

“This means that someone could have beaten us and could have registered an account with the name identical to ours, and then pushed some sort of a malware update to users on our behalf,” Sotnikov said.

Sotnikov also raised the issue with the Jenkins staff on their Google Groups discussion board.

Following the 42Crunch exec’s finding, the Jenkins team blocked all uploads of new artifacts to the Jenkins Artifactory portal to prevent any threat actor from taking advantage of this loophole and replacing plugin artifacts (files) with malicious versions.

No signs of malicious activity

The Jenkins team also followed through with a security audit. Devs said they reviewed all artifact uploads between June 2 (the outage) and June 9, when the issue was brought to their attention and found no suspicious uploads.

Jenkins devs said that while a threat actor could have uploaded new artifacts, the danger of pushing a malicious Jenkins plugin update was small because attackers would have also had to hijack a user’s plugin account at the same time with the Jenkins Artifactory account.

Jenkins devs are currently preparing to disclose the incident to all Artifactory users who had their accounts deleted during the June 2 outage and are putting in place additional verification measures to prevent any account hijacking attempts by unauthorized third-parties.