Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 13 Nov 2016 00:13:40 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: CVE request: Jenkins remote code execution vulnerability

Hello,

An unauthenticated remote code execution vulnerability was discovered in the
Jenkins continuous integration and continuous delivery automation server.
A serialized Java object transferred to the Jenkins CLI can make Jenkins
connect to an attacker-controlled LDAP server, which in turn can send a
serialized payload leading to code execution, bypassing existing protection
mechanisms.

The Jenkins project tracks this as SECURITY-360. Releases with the fix are
planned for Wednesday, November 16.

Please assign a CVE to this issue.

References:

Jenkins website:
https://jenkins.io/

Publication of the vulnerability in this talk:
https://www.deepsec.net/speaker.html#PSLOT250

Notification and workaround by the Jenkins project here:
https://groups.google.com/d/msg/jenkinsci-advisories/-fc-w9tNEJE/GRvEzWoJBgAJ

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ