Hi all, Recently we have received reports that our Jenkins server running at ci.hive.apache.org was affected by CVE-2024-23897 [1]. The vulnerability was addressed by upgrading Jenkins to the latest version as part of HIVE-28339 [2,3].
Given the nature of the vulnerability, I reviewed the Jenkins instance for sensitive information that could have been exposed and found some potential credential leak. Together with Zoltan Haindrich we went over the Jenkins credential storage and it turns out that there were no real user credentials affected. In fact most credentials that were stored in Jenkins were obsolete thus we removed them completely. In CI, we use a special bot user namely asf-ci-hive that is used to add/remove labels in PRs and there is a risk that their personal access tokens have been compromised. For that reason, we got in touch with INFRA and we obtained a new personal access token (INFRA-25949 [4]) that I set up on Friday, July 12 2024. Other information that may have been compromised consists in GitHub usernames from those users that logged in recently in Jenkins but for the most part this information is publicly available on GitHub. The Jenkins upgrade was also necessary to address various other CVEs that were not reported explicitly but they affected Jenkins and various of the plugins installed. To avoid a similar situation in the future we should ensure that our Jenkins instance remains up to date at all times. Credit: Thanks to Othmane Friha (n3s7l3), and Dadang Firmansah (Dungs) for reporting the vulnerability. Best, Stamatis [1] https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314 [2] https://issues.apache.org/jira/browse/HIVE-28339 [3] https://lists.apache.org/thread/4qb3z3yx9ovnxbsr4b02ohz6twlkrlx9 [4] https://issues.apache.org/jira/browse/INFRA-25949
