Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 9 Nov 2015 15:19:36 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization

Hello,

Please assign a CVE to this issue:

Remote code execution vulnerability due to unsafe deserialization in Jenkins remoting
Unsafe deserialization allows unauthenticated remote attackers to run arbitrary code on the Jenkins master.
This is tracked as SECURITY-218 in the Jenkins project. All current Jenkins releases are affected.

Public exploit:
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jenkins

Temporary workaround:
https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli

A related issue is being discussed here:
http://www.openwall.com/lists/oss-security/2015/11/09/1
Jenkins is affected by both this and the Groovy variant in 'ysoserial'.

We plan to release a fix for this as part of our planned security update on Wednesday.

Thanks!

--
Daniel Beck

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ