プラットフォーム
python
コンポーネント
jumpserver/jumpserver
修正版
3.0.1
CVE-2024-29201 is a critical Remote Code Execution (RCE) vulnerability discovered in JumpServer, an open-source bastion host and security audit system. This flaw allows attackers to bypass input validation within the Ansible component, enabling arbitrary code execution within the Celery container. The vulnerability impacts JumpServer versions 3.0.0 up to and including 3.10.6, and a fix is available in version 3.10.7.
The impact of CVE-2024-29201 is severe. Successful exploitation allows an attacker to execute arbitrary code within the Celery container, which runs with root privileges and has direct access to the JumpServer database. This grants the attacker the ability to steal sensitive information from all managed hosts, modify user credentials, and potentially gain complete control over the JumpServer infrastructure. The ability to manipulate the database could lead to data breaches, unauthorized access, and disruption of critical operations. The root privileges within the container significantly amplify the potential damage, allowing for lateral movement and broader compromise of the environment.
This vulnerability is considered highly exploitable due to the ease of bypassing the input validation and the root privileges granted to the Celery container. It has been added to the CISA KEV catalog, indicating a high probability of exploitation. Public proof-of-concept (PoC) code is likely to emerge, further increasing the risk. The vulnerability was publicly disclosed on 2024-03-29.
Organizations heavily reliant on JumpServer as a central bastion host and those with legacy configurations that haven't been regularly patched are particularly at risk. Shared hosting environments where multiple users share a JumpServer instance also face increased exposure, as a compromise of one user could potentially lead to broader system compromise.
• linux / server:
journalctl -u jumpserver-celery -f | grep -i "ansible" # Monitor Celery logs for Ansible activity• linux / server:
lsof -i :8000 # Check for processes listening on the Ansible port• generic web:
curl -I http://<jumpserver_ip>:8000/ansible/ # Check for Ansible endpoint exposuredisclosure
patch
エクスプロイト状況
EPSS
68.52% (99% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-29201 is to immediately upgrade JumpServer to version 3.10.7 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting network access to the Celery container or disabling the Ansible functionality. Monitor JumpServer logs for suspicious activity related to Ansible execution. Implement a Web Application Firewall (WAF) with rules to detect and block malicious requests targeting the Ansible endpoint. After upgrading, verify the fix by attempting to trigger the vulnerable Ansible endpoint with a crafted payload and confirming that the execution is blocked.
JumpServerをバージョン3.10.7以降にアップデートしてください。このバージョンでは、Ansible playbookのセキュアでない検証の脆弱性が修正されており、リモートコード実行を防止します。アップデートすることで、攻撃者がCeleryコンテナ内で任意のコードを実行するリスクを軽減できます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-29201 is a critical Remote Code Execution vulnerability in JumpServer versions 3.0.0 through 3.10.6, allowing attackers to execute arbitrary code via Ansible.
You are affected if you are running JumpServer versions 3.0.0 to 3.10.6. Verify your version and upgrade immediately.
Upgrade JumpServer to version 3.10.7 or later to resolve the vulnerability. If immediate upgrade is not possible, consider temporary workarounds like restricting network access.
While active exploitation is not yet confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of exploitation, and it's been added to the CISA KEV catalog.
Refer to the official JumpServer security advisory for detailed information and updates: https://github.com/JumpCloud/JumpServer/security/advisories/GHSA-9934-3437-4399
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。