back to article Year-old vuln turns Jenkins servers into Monero mining slaves

Here's a salutary reminder why it pays to patch promptly: a Jenkins bug patched last year became the vector for a multi-million-dollar cryptocurrency mining hijack. A campaign security researchers dubbed “JenkinsMiner” exploited CVE-2017-1000353, a deserialisation bug first disclosed with fixes by the Jenkins team in April …

  1. Adam 1

    > Here's a salutary reminder why it pays to patch promptly

    Shirley, in this context, that should be "pays to not patch promptly".

  2. Tom 64
    Pint

    PowerShell?

    I'm guessing this only affects windows boxen then? I see no reference to OS on the linked info though.

    </panic>

    <beer>

    ..

    1. Anonymous Coward
      Anonymous Coward

      Re: PowerShell?

      Well the advisory is a RedHat one (really not that hard to find)

      https://access.redhat.com/security/cve/cve-2017-1000353

      So looks like the Windows admins will be enjoying the beer this time.

    2. katrinab Silver badge

      Re: PowerShell?

      Powershell has only very recently become available on GNU/Linux distributions, and I don't think many people have it installed.

  3. Adam 52 Silver badge

    "Here's a salutary reminder why it pays to patch promptly: a Jenkins bug patched "

    Clearly not written by someone who's ever attempted to patch Jenkins. It can easily take a year just to work through all the incompatibility and broken plugins that a new release creates.

    1. JC_
      WTF?

      It's not been a problem in the years we've been using Jenkins and I've not seen mass reports of any years-long drama. Perhaps it's the fault of the plugins your using?

  4. rmason

    Our devs use Jenkins.

    I've discussed this with them and they said they will check, but that it mining for someone was probably preferable to the issues they often have when patching.

  5. Claptrap314 Silver badge

    Audit all your code for known CVEs, at least

    This aspect of Jenkins drove me nuts at my old company. All of these plugins, half of them not actually used, coming from a community website which did not appear to be policed significantly. Known privilege escalation bugs on plugins that are highly used but not maintained. And on and on.

    A tool like Jenkins is absolutely necessary, but the ecosystem was a nonstarter from a serious security standpoint. I suppose I should be looking around to see what competition there is...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021