Date: Mon, 9 Nov 2015 15:19:36 +0100 From: Daniel Beck <ml@...kweb.net> To: oss-security@...ts.openwall.com Subject: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization Hello, Please assign a CVE to this issue: Remote code execution vulnerability due to unsafe deserialization in Jenkins remoting Unsafe deserialization allows unauthenticated remote attackers to run arbitrary code on the Jenkins master. This is tracked as SECURITY-218 in the Jenkins project. All current Jenkins releases are affected. Public exploit: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jenkins Temporary workaround: https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli A related issue is being discussed here: http://www.openwall.com/lists/oss-security/2015/11/09/1 Jenkins is affected by both this and the Groovy variant in 'ysoserial'. We plan to release a fix for this as part of our planned security update on Wednesday. Thanks! -- Daniel Beck
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.