Date: Wed, 26 Apr 2017 21:07:50 +0200 From: Daniel Beck <ml@...kweb.net> To: oss-security@...ts.openwall.com Subject: Multiple vulnerabilities in Jenkins The Jenkins project published updates today with fixes for multiple vulnerabilities. Users should upgrade to the versions below: * Jenkins (weekly) 2.57 * Jenkins (LTS) 2.46.2 Summaries of the vulnerabilities are below. More details, severity, and attribution can be found here: https://jenkins.io/security/advisory/2017-04-26/ We provide advance notification for security updates on this mailing list: https://groups.google.com/d/forum/jenkinsci-advisories If you find security vulnerabilities in Jenkins, please report them as described here: https://jenkins.io/security/#reporting-vulnerabilities --- SECURITY-412 through SECURITY-420 / CVE-2017-1000356 Multiple CSRF vulnerabilities, including immediate or delayed Jenkins restart, removing all configured update sites, installing and loading any plugin available on configured update sites, changing Jenkins system, security, and tool configuration, or creating new agents. SECURITY-429 / CVE-2017-1000353 An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blacklist-based protection mechanism. SECURITY-466 / CVE-2017-1000354 The login command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance. SECURITY-503 / CVE-2017-1000355 Jenkins uses the XStream library to serialize and deserialize XML. Its maintainer recently published a security vulnerability that allows anyone able to provide XML to Jenkins for processing using XStream to crash the Java process. In Jenkins this typically applies to users with permission to create or configure items (jobs), views, or agents. 1: http://www.openwall.com/lists/oss-security/2017/04/03/4
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ