Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 17 Nov 2015 19:54:20 -0500 (EST)
From: cve-assign@...re.org
To: ml@...kweb.net
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Remote code execution vulnerability due to unsafe deserialization in Jenkins remoting
> Unsafe deserialization allows unauthenticated remote attackers to run arbitrary code on the Jenkins master.
> This is tracked as SECURITY-218 in the Jenkins project. All current Jenkins releases are affected.

> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11

> Public exploit:
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jenkins

>> The exploit requires you to have access to a high numbered TCP port
>> running on the Jenkins machine, so it's unlikely this one will work
>> from the Internet.


> Temporary workaround:
> https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli

> A related issue is being discussed here:
> http://www.openwall.com/lists/oss-security/2015/11/09/1
> Jenkins is affected by both this and the Groovy variant in 'ysoserial'.

Use CVE-2015-8103 for the vulnerability addressed by modifying Jenkins
to be safe in the presence of a problematic
webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file.

As far as we know, "the Groovy variant in 'ysoserial'" means:

  https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/Groovy1.java

which is a CVE-2015-3253 exploit. Also, we are guessing that Groovy is
relevant because of:

  https://wiki.jenkins-ci.org/display/JENKINS/Groovy+plugin

If preventing the ysoserial Groovy attack against Jenkins only
involves updating the installed Groovy code to 2.4.4 or 2.4.5, and it
has never been necessary or recommended to change any component unique
to Jenkins, then we would recommend mapping to CVE-2015-3253. If it
were necessary or recommended to change any component unique to
Jenkins, then you can have an additional CVE ID for the ysoserial
Groovy aspect of SECURITY-218. (Our expectation is that separate CVE
IDs are needed because the Groovy plugin has own version numbering --
such as version 1.27 -- that's separate from the version numbering of
Jenkins core.)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWS8srAAoJEL54rhJi8gl54nAQAKIr4J93MinobpK5D8TV9FUd
fyNB0tpgQwJYihVKaR/Uqu0T8B0Rtu9y1uG0DMJynJUPaiw5A1jQh4YsdylgjjOX
NoCdqpzv3ZzboCjHb5f9/4d5O9mVR3MV4T86i0Bf5n7bfB1JxWKMD0PaRBeIGAbk
tTkSXqI0BamT6RwSPHHHd+4jTEkKDT7mlm+J8Fx/WeyZ4LI8DM8lwyC7hOdrStlq
KzyRHm0Wdi9QQMdKFWNtwY02gC9F7BL5zDzvsqX1l2h5E47xFxjgprImJK20+6WA
L7gtL7jE+BqYSwBBDCxkVLqaOHPG5eKM0KXg4Owk0S9rYzbvkd0p7bpRBCMsxo+a
j81fUnrjPO/1w2P4C4FUuiaGonR+Tu958DVIkRlAWU7dhkUZrbKduqCdKO2578la
YCMkWrDg/nyJH5KDfFyitWhmw3KN359M+BX9quM/O3qBkpvx1BYNOgLrEWszOyCf
DBSJ7NMqyIPYKp6c946iXBGtomavI9lbNxCwpW44YlHeTf0mJxGQ28Qi1WvJm4rP
IKKtAsCwb5BuOnGPq10yqQsXnTdNVu713BMDToNhfE9F8NvhIk8Ko2/Gme4xdDYz
lJzMToAXbYCETPk1r3QK1gjYadWf3TyBfe0DRK9ZpPNYfjQzMWQeBZG4uedUvL3F
q/mc2sF12N2a8sX/Ulzh
=n4BO
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.