oss-sec mailing list archives

CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization

From: Daniel Beck <ml () beckweb net>
Date: Mon, 9 Nov 2015 15:19:36 +0100

Hello,

Please assign a CVE to this issue:

Remote code execution vulnerability due to unsafe deserialization in Jenkins remoting
Unsafe deserialization allows unauthenticated remote attackers to run arbitrary code on the Jenkins master.
This is tracked as SECURITY-218 in the Jenkins project. All current Jenkins releases are affected.

Public exploit:
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jenkins

Temporary workaround:
https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli

A related issue is being discussed here:
http://www.openwall.com/lists/oss-security/2015/11/09/1
Jenkins is affected by both this and the Groovy variant in 'ysoserial'.

We plan to release a fix for this as part of our planned security update on Wednesday.

Thanks!

--
Daniel Beck

Current thread:

CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization Daniel Beck (Nov 09)
- Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization cve-assign (Nov 17)
  - Re: Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization Daniel Beck (Nov 18)
    - Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization cve-assign (Nov 18)
    - Re: Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization Moritz Bechler (Nov 18)