Accidental Loss of Database Leads to Outage, Potential Threat For Jenkins Artifactory Portal

Accidental deletion of user data can cause severe consequences, like a loss of users' trust on any organization. In a recent incident, accidental deletion of user database by Jenkins created a loophole, that could have allowed threat actors to hijack the user accounts of Jenkins plugin authors.

What happened

Jenkins blocked releases to the Jenkins Artifactory instance due to a partial user database loss on June 02, 2020.
  • In early June, the Jenkins team noticed an error in their Kubernetes cluster system, that forced them to rebuild parts of the Jenkins Artifactory portal from scratch.
  • While rebuilding the system, they lost around three months worth of changes made in the Lightweight Directory Access Protocol (LDAP) database, including details about user accounts used by Jenkins plugin developers.

Impact and Response

  • A number of potential security risks (such as account takeover and malicious upload) were identified which could have been caused by the LDAP outage.
  • Following the incident, the Jenkins team also performed a security audit. The team reviewed all artifact uploads between June 2 and June 9, and found no malicious activity.
  • The corporate account of several users, including that of 42Crunch, got deleted during the incident. However, when they re-registered their old account, it was automatically restored with access and permissions that the old, deleted account had, including full ownership of its Jenkins extension in the marketplace.

The bottom line

Due to software glitches, disruptions in development workflows, or human errors, software supply chains can often face new security threats. However, with proper precautions and vetting processes in place, organizations can ensure that they do not suffer from security breaches arising from flaws in their deployed software.