Earlier this week the Jenkins infrastructure team identified a successful attack against our deprecated Confluence service. We responded immediately by taking the affected server offline while we investigated the potential impact. At this time we have no reason to believe that any Jenkins releases, plugins, or source code have been affected.

Thus far in our investigation, we have learned that the Confluence CVE-2021-26084 exploit was used to install what we believe was a Monero miner in the container running the service. From there an attacker would not be able to access much of our other infrastructure. Confluence did integrate with our integrated identity system which also powers Jira, Artifactory, and numerous other services.

The trust and security in Jenkins core and plugin releases is our highest priority. We do not have any indication that developer credentials were exfiltrated during the attack. At the moment we cannot assert otherwise and are therefore assuming the worst. We are taking actions to prevent releases at this time until we re-establish a chain of trust with our developer community. We have reset passwords for all accounts in our integrated identity system. We are improving the password reset system as part of this effort.

At this time, the Jenkins infrastructure team has permanently disabled the Confluence service, rotated privileged credentials, and taken proactive measures to further reduce the scope of access across our infrastructure. We are working closely with our colleagues at the Linux Foundation and the Continuous Delivery Foundation to ensure that infrastructure which is not directly managed by the Jenkins project is also scrutinized.

In October 2019 we made the Confluence server read-only effectively deprecating it for day-to-day use within the project. At that time, we began migrating documentation and changelogs from the wiki to GitHub repositories. That migration has been ongoing, with hundreds of plugins and many other documentation pages moved from the wiki to GitHub repositories.

We are grateful for those of you who followed our responsible disclosure procedure and reached out to us about this vulnerability affecting the Jenkins project.

We will continue to take proactive measures to improve the security of our infrastructure and encourage you to follow us on Twitter for further updates.

About the Authors
Mark Waite

Mark is the Jenkins Documentation Officer, a long-time Jenkins user and contributor, and maintains the git plugin and the git client plugin. He is active in Jenkins special interest groups including the Docs SIG, Platform SIG, and Advocacy SIG.

R. Tyler Croy

R. Tyler Croy has been part of the Jenkins project for the past seven years. While avoiding contributing any Java code, Tyler is involved in many of the other aspects of the project which keep it running, such as this website, infrastructure, governance, etc.