Published: 2/2/2024

Vulnerability Summary

On Jan 24th, Jenkins announced a critical vulnerability CVE-2024-23897 that impacts Liferay environments hosted in a cloud. Jenkins is a Continuous Integration tool to build software that allows Liferay PaaS customers to deploy software to their environments. The Liferay DXP product itself is not impacted.

What is the Concern?

This vulnerability can be used to attack Liferay CI service using HTTP/WebSocket protocols and get full access to the customer’s CI service. This service is responsible for building customer images from customer source code. By obtaining access, attackers can analyze customer code that is built by the CI service. Moreover, attackers can cause ongoing exposure by hiding malicious code into customer builds through GitHub connector or during builds. Such maliciously modified software builds can be deployed to the cloud environments by unsuspecting customers or customers tricked by social engineering. This can indirectly lead to a breach of the customer’s production environment.

How is Liferay Impacted?

Liferay PaaS customers are impacted by the vulnerability. The Liferay Security Incident Response Team has temporarily mitigated the immediate issue by blocking malicious requests to the vulnerable component, but customers must upgrade their Jenkins instances to protect themselves in the long term (see the Permanent Fix section below for instructions).

Liferay SaaS customers are not impacted because Liferay SaaS does not use Jenkins.

Liferay DXP and Liferay Portal products are not impacted. Customers maintaining their on-premise deployments don’t need to run any actions related to DXP. However, it is strongly recommended to upgrade Jenkins if they are hosting their own instances of Jenkins.

Liferay’s own internal infrastructure is not directly impacted and is undergoing upgrades.

How Can I Check and Temporarily Mitigate My Exposure?

Liferay has already mitigated the immediate threat for Liferay PaaS customers by blocking HTTP requests. 

Customers can check if they are exposed by visiting /cli/ws and /cli?remoting=false URL on their CI environment, for example: https://my-ci-jenkins-url/cli/ws. The pages should return the following response to signify that the exposure has been mitigated: 403 Forbidden

If an existing Jenkins service which has been mitigated by Liferay is deleted and recreated without updating the image version, then the temporary mitigation will need to be applied to the newly created service.

If Liferay PaaS customers are in a situation where they need to temporarily mitigate their exposure without applying a permanent fix, they can deploy an official groovy script from https://github.com/jenkinsci-cert/SECURITY-3314-3315/ to their ci service or by temporarily deleting their ci service before they are ready to apply the fix.

What is the Permanent and Official Fix?

Based on the official Jenkins recommendation, Liferay prepared a patched version of ci image with the vulnerable component disabled: liferaycloud/jenkins:2.356-jdk8-5.2.1. 

Customers can deploy the image by changing their LCP.json file for ci service and redeploying the service inside infra environment:

{

  "kind": "StatefulSet",

  "id": "ci",

  "image": "liferaycloud/jenkins:2.356-jdk8-5.2.1",

Questions

Please contact Liferay Support for additional information.