Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 9 Nov 2015 15:19:36 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization

Hello,

Please assign a CVE to this issue:

Remote code execution vulnerability due to unsafe deserialization in Jenkins remoting
Unsafe deserialization allows unauthenticated remote attackers to run arbitrary code on the Jenkins master.
This is tracked as SECURITY-218 in the Jenkins project. All current Jenkins releases are affected.

Public exploit:
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jenkins

Temporary workaround:
https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli

A related issue is being discussed here:
http://www.openwall.com/lists/oss-security/2015/11/09/1
Jenkins is affected by both this and the Groovy variant in 'ysoserial'.

We plan to release a fix for this as part of our planned security update on Wednesday.

Thanks!

--
Daniel Beck

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.