CVE-2019-17444
📋 TL;DR
This vulnerability allows unauthorized network-based attackers to gain administrative access to Jfrog Artifactory instances by exploiting default passwords like 'password' that are not required to be changed. It affects all Jfrog Artifactory versions prior to 6.17.0, potentially leading to complete system compromise.
💻 Affected Systems
- Jfrog Artifactory
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Artifactory instance, allowing attackers to steal sensitive artifacts, inject malicious packages, modify existing packages, and use the system as a foothold for lateral movement within the network.
Likely Case
Unauthorized administrative access leading to data theft, package tampering, and potential supply chain attacks if malicious packages are distributed through the compromised repository.
If Mitigated
Limited impact if strong network segmentation, proper authentication controls, and monitoring are in place to detect unauthorized access attempts.
🎯 Exploit Status
Exploitation requires only knowledge of default credentials and network access to the Artifactory instance. No special tools or advanced techniques are needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.17.0 and later
Vendor Advisory: https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes
Restart Required: Yes
Instructions:
1. Backup your Artifactory configuration and data. 2. Download Artifactory version 6.17.0 or later from the official JFrog website. 3. Follow the upgrade instructions specific to your installation type (RPM, DEB, Docker, etc.). 4. Restart the Artifactory service. 5. Verify the upgrade was successful and that all default passwords have been changed.
🔧 Temporary Workarounds
Change All Default Passwords
allManually change all default passwords for administrative accounts to strong, unique passwords.
Use the Artifactory web UI or REST API to change passwords for all user accounts, particularly admin and any other default accounts.
Implement Network Access Controls
allRestrict network access to Artifactory instances to only trusted IP addresses or networks.
Configure firewall rules to allow access only from specific IP ranges or implement VPN access for administrative interfaces.
🧯 If You Can't Patch
- Immediately change all default passwords to strong, complex passwords and enforce password policies
- Implement multi-factor authentication for administrative accounts if supported by your version
🔍 How to Verify
Check if Vulnerable:
Check your Artifactory version via the web UI (Admin → System Info) or REST API. If version is below 6.17.0, you are vulnerable. Also verify if any accounts still have default passwords.Check Version:
curl -u admin:password http://<artifactory-host>/artifactory/api/system/version (Note: Use actual credentials, not default ones)Verify Fix Applied:
After upgrading to 6.17.0 or later, verify the version and ensure that the system now enforces password changes for default accounts. Test that old default passwords no longer work.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful login with default usernames
- Administrative actions from unexpected IP addresses
- Password change events for default accounts
Network Indicators:
- Authentication requests to Artifactory from unexpected network segments
- Traffic patterns suggesting credential guessing attacks
SIEM Query:
source="artifactory.log" AND (event="LOGIN_SUCCESS" AND user="admin") OR (event="LOGIN_FAILED" AND user IN ("admin", other_default_usernames))