Date: Mon, 9 Nov 2015 15:19:36 +0100 From: Daniel Beck <ml@...kweb.net> To: oss-security@...ts.openwall.com Subject: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization Hello, Please assign a CVE to this issue: Remote code execution vulnerability due to unsafe deserialization in Jenkins remoting Unsafe deserialization allows unauthenticated remote attackers to run arbitrary code on the Jenkins master. This is tracked as SECURITY-218 in the Jenkins project. All current Jenkins releases are affected. Public exploit: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jenkins Temporary workaround: https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli A related issue is being discussed here: http://www.openwall.com/lists/oss-security/2015/11/09/1 Jenkins is affected by both this and the Groovy variant in 'ysoserial'. We plan to release a fix for this as part of our planned security update on Wednesday. Thanks! -- Daniel Beck
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ