Plateforme
python
Composant
jumpserver/jumpserver
Corrigé dans
3.0.1
CVE-2024-29201 is a critical Remote Code Execution (RCE) vulnerability discovered in JumpServer, an open-source bastion host and security audit system. This flaw allows attackers to bypass input validation within the Ansible component, enabling arbitrary code execution within the Celery container. The vulnerability impacts JumpServer versions 3.0.0 up to and including 3.10.6, and a fix is available in version 3.10.7.
The impact of CVE-2024-29201 is severe. Successful exploitation allows an attacker to execute arbitrary code within the Celery container, which runs with root privileges and has direct access to the JumpServer database. This grants the attacker the ability to steal sensitive information from all managed hosts, modify user credentials, and potentially gain complete control over the JumpServer infrastructure. The ability to manipulate the database could lead to data breaches, unauthorized access, and disruption of critical operations. The root privileges within the container significantly amplify the potential damage, allowing for lateral movement and broader compromise of the environment.
This vulnerability is considered highly exploitable due to the ease of bypassing the input validation and the root privileges granted to the Celery container. It has been added to the CISA KEV catalog, indicating a high probability of exploitation. Public proof-of-concept (PoC) code is likely to emerge, further increasing the risk. The vulnerability was publicly disclosed on 2024-03-29.
Organizations heavily reliant on JumpServer as a central bastion host and those with legacy configurations that haven't been regularly patched are particularly at risk. Shared hosting environments where multiple users share a JumpServer instance also face increased exposure, as a compromise of one user could potentially lead to broader system compromise.
• linux / server:
journalctl -u jumpserver-celery -f | grep -i "ansible" # Monitor Celery logs for Ansible activity• linux / server:
lsof -i :8000 # Check for processes listening on the Ansible port• generic web:
curl -I http://<jumpserver_ip>:8000/ansible/ # Check for Ansible endpoint exposuredisclosure
patch
Statut de l'Exploit
EPSS
68.52% (percentile 99%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-29201 is to immediately upgrade JumpServer to version 3.10.7 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting network access to the Celery container or disabling the Ansible functionality. Monitor JumpServer logs for suspicious activity related to Ansible execution. Implement a Web Application Firewall (WAF) with rules to detect and block malicious requests targeting the Ansible endpoint. After upgrading, verify the fix by attempting to trigger the vulnerable Ansible endpoint with a crafted payload and confirming that the execution is blocked.
Mettez à jour JumpServer à la version 3.10.7 ou supérieure. Cette version corrige la vulnérabilité de validation insecure des playbooks Ansible qui permet l'exécution à distance de code. La mise à jour atténuera le risque que des attaquants exécutent du code arbitraire dans le conteneur Celery.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-29201 is a critical Remote Code Execution vulnerability in JumpServer versions 3.0.0 through 3.10.6, allowing attackers to execute arbitrary code via Ansible.
You are affected if you are running JumpServer versions 3.0.0 to 3.10.6. Verify your version and upgrade immediately.
Upgrade JumpServer to version 3.10.7 or later to resolve the vulnerability. If immediate upgrade is not possible, consider temporary workarounds like restricting network access.
While active exploitation is not yet confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of exploitation, and it's been added to the CISA KEV catalog.
Refer to the official JumpServer security advisory for detailed information and updates: https://github.com/JumpCloud/JumpServer/security/advisories/GHSA-9934-3437-4399
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.