A significant security flaw has been identified in widely used Jenkins Docker images, potentially compromising build pipelines across numerous organizations. This vulnerability, disclosed in a Jenkins Security Advisory on April 10, 2025, pertains to SSH host key handling in specific Docker images and could enable attackers to execute man-in-the-middle attacks against Jenkins build environments.
Understanding the Vulnerability
The issue, tracked as CVE-2025-32754 and CVE-2025-32755, affects the `jenkins/ssh-agent` Docker images (versions up to and including 6.11.1) and all versions of the deprecated `jenkins/ssh-slave` image. The root cause lies in the generation of SSH host keys during image creation rather than at container startup for Debian-based images. Consequently, all containers based on images of the same version utilize identical SSH host keys. This practice undermines the security model of SSH, where host keys are intended to uniquely identify servers and establish trust relationships.
The Jenkins project credits security researcher Abhishek Reddypalle for discovering and reporting this vulnerability.
Detailed Impact and Exploitability
The vulnerabilities have been assigned a CVSS 3.1 score of 9.1 (Critical), indicating their severity. The potential impacts include:
– Man-in-the-Middle Attacks: Attackers intercepting network traffic between the Jenkins controller and SSH build agents can impersonate legitimate agents without triggering SSH authenticity warnings.
– Unauthorized Access and Credential Theft: By exploiting the vulnerability, attackers can gain unauthorized access to build environments, leading to the theft of credentials or secrets used during builds.
– Build Manipulation: Malicious actors can intercept or modify build artifacts, potentially injecting malicious code into build pipelines.
Such attacks are particularly concerning in Continuous Integration/Continuous Deployment (CI/CD) environments, where compromised build processes can lead to supply chain attacks affecting downstream systems and customers.
Affected Docker Images
The vulnerability specifically impacts the following image variants:
– `jenkins/ssh-agent`:
– All tags not explicitly specifying an OS, including all `-jdk` and `-jdk-preview` suffixes (before April 10, 2025).
– All images containing `debian`, `stretch`, `bullseye`, or `bookworm` (before April 10, 2025).
– `jenkins/ssh-slave` (deprecated):
– Tags `latest`, `jdk11`, `latest-jdk11`, `revert-22-jdk11-JENKINS-52279`.
It’s important to note that Alpine-based, Windows, and Nanoserver variants are unaffected by this vulnerability.
Mitigation and Remediation
In response to this critical issue, the Jenkins project has released updated `jenkins/ssh-agent` images in version 6.11.2. These updates introduce a crucial security improvement:
The `jenkins/ssh-agent` 6.11.2 Docker images based on Debian delete the automatically generated SSH host keys created during image creation. New host keys are generated on the first container startup.
This change ensures that each container instance generates unique SSH host keys upon startup, thereby restoring the intended security model of SSH.
Recommended Actions for Organizations
Organizations utilizing the affected Jenkins Docker images should take the following steps immediately:
1. Update Docker Images: Pull the latest `jenkins/ssh-agent` Docker image (version 6.11.2 or later) to ensure the vulnerability is addressed.
2. Verify Image Versions: Inspect current Docker images to confirm they are running the patched version.
3. Regenerate SSH Host Keys: For existing containers, consider regenerating SSH host keys to ensure uniqueness across deployments.
4. Monitor Build Pipelines: Implement monitoring to detect any unusual activity within build pipelines that could indicate exploitation attempts.
5. Review Security Practices: Regularly review and update security practices related to Docker image management and SSH configurations to prevent similar vulnerabilities.
Conclusion
The discovery of this critical vulnerability in Jenkins Docker images underscores the importance of vigilant security practices in CI/CD environments. By promptly updating to the patched Docker images and implementing the recommended actions, organizations can mitigate the risk of man-in-the-middle attacks and safeguard their build pipelines against potential compromises.
