プラットフォーム
python
コンポーネント
jumpserver/jumpserver
修正版
3.0.1
CVE-2024-40629 is a critical Remote Code Execution (RCE) vulnerability discovered in JumpServer, an open-source Privileged Access Management (PAM) tool. This vulnerability allows an attacker to exploit an Ansible playbook to write arbitrary files, leading to complete system compromise. The vulnerability affects versions 3.0.0 through 3.10.11, and a patch is available in version 3.10.12.
The impact of CVE-2024-40629 is severe. Successful exploitation allows an attacker to execute arbitrary code within the Celery container, which runs as root and has full access to the JumpServer database. This grants the attacker the ability to steal all stored secrets for managed hosts, create new JumpServer accounts with administrative privileges, and manipulate the database to gain persistent access. The blast radius extends to all systems managed by JumpServer, making it a high-priority risk. This vulnerability shares similarities with other Ansible-related privilege escalation exploits where misconfigured playbooks can be leveraged for unauthorized access and control.
CVE-2024-40629 was publicly disclosed on July 18, 2024. The vulnerability's criticality (CVSS score of 10) and the potential for widespread impact suggest a high probability of exploitation. While no public exploits have been confirmed at the time of writing, the ease of exploitation and the sensitivity of the data at risk make it a likely target for attackers. It is not currently listed on CISA KEV, but its severity warrants close monitoring.
Organizations heavily reliant on JumpServer for privileged access management are particularly at risk. This includes DevOps teams, IT administrators, and any environment where sensitive credentials are stored and managed within JumpServer. Environments utilizing older JumpServer versions (3.0.0 - 3.10.11) are directly vulnerable and require immediate attention.
• linux / server:
journalctl -u celery -f | grep -i "arbitrary file write"• linux / server:
lsof -p celery | grep -i "/path/to/ansible/playbook"• generic web:
curl -I http://<jumpserver_ip>/ansible/playbook/ # Check for directory listing or exposed playbookdisclosure
エクスプロイト状況
EPSS
9.36% (93% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-40629 is to immediately upgrade JumpServer to version 3.10.12 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the Ansible playbook directory and carefully review the playbook's contents for any potential vulnerabilities. Implement strict file access controls within the Celery container to prevent unauthorized file writes. Monitor Celery container logs for suspicious activity, particularly any attempts to write files outside of expected locations. After upgrading, confirm the fix by attempting to trigger the vulnerable Ansible playbook and verifying that it is no longer exploitable.
JumpServerをバージョン3.10.12以降、またはバージョン4.0.0以降にアップデートしてください。これにより、リモートコード実行を許可する可能性のある任意のファイル書き込みの脆弱性が修正されます。既知の回避策はありません。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-40629 is a critical Remote Code Execution vulnerability in JumpServer versions 3.0.0 through 3.10.11, allowing attackers to execute arbitrary code via an Ansible playbook.
You are affected if you are running JumpServer versions 3.0.0 through 3.10.11. Upgrade to version 3.10.12 or later to mitigate the risk.
Upgrade JumpServer to version 3.10.12 or later. As a temporary workaround, restrict access to the Ansible playbook directory and implement strict file access controls.
While no confirmed exploitation has been publicly reported, the vulnerability's severity and ease of exploitation suggest a high probability of future attacks.
Refer to the official JumpServer security advisory on their website or GitHub repository for detailed information and updates.
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。