CVE-2020-2322
📋 TL;DR
The Jenkins Chaos Monkey Plugin vulnerability allows attackers with Overall/Read permission to exploit HTTP endpoints without proper authorization checks. This enables them to generate excessive load and create memory leaks on Jenkins servers. Organizations using Jenkins with this plugin installed are affected.
💻 Affected Systems
- Jenkins Chaos Monkey Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could cause denial of service through resource exhaustion, potentially crashing Jenkins servers and disrupting CI/CD pipelines.
Likely Case
Unauthorized users generating artificial load, degrading Jenkins performance and causing memory issues that require restarts.
If Mitigated
With proper permission controls and monitoring, impact is limited to minor performance degradation that can be quickly detected and addressed.
🎯 Exploit Status
Exploitation requires authenticated access with Overall/Read permission, which is commonly granted in many Jenkins deployments.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.4 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2020-12-03/#SECURITY-2109%20%281%29
Restart Required: Yes
Instructions:
1. Update Jenkins Chaos Monkey Plugin to version 0.4 or later via Jenkins Plugin Manager. 2. Restart Jenkins service. 3. Verify plugin version in Installed Plugins list.
🔧 Temporary Workarounds
Disable Chaos Monkey Plugin
allTemporarily disable the vulnerable plugin until patching is possible
Navigate to Jenkins > Manage Jenkins > Manage Plugins > Installed tab
Find Chaos Monkey Plugin and click Disable
Restrict Overall/Read Permissions
allLimit users with Overall/Read permission to trusted administrators only
Navigate to Jenkins > Manage Jenkins > Configure Global Security
Adjust permission matrix under Authorization section
🧯 If You Can't Patch
- Implement network segmentation to isolate Jenkins servers from untrusted networks
- Enable detailed logging and monitoring for unusual load patterns or memory usage spikes
🔍 How to Verify
Check if Vulnerable:
Check installed plugin version in Jenkins: Manage Jenkins > Manage Plugins > Installed tab, look for Chaos Monkey Plugin versionCheck Version:
curl -s http://jenkins-server/pluginManager/installed | grep 'chaos-monkey'Verify Fix Applied:
Verify Chaos Monkey Plugin version is 0.4 or higher in Installed Plugins list📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests to Chaos Monkey endpoints
- Sudden memory usage spikes
- Increased CPU load without corresponding job activity
Network Indicators:
- Repeated POST/GET requests to /chaos-monkey/* endpoints from non-admin users
SIEM Query:
source="jenkins.log" AND ("chaos-monkey" OR "ChaosMonkey") AND (POST OR GET) AND NOT user="admin"