Jenkins Security Advisory 2016-11-16

This advisory announces the fix for a previously disclosed zero-day vulnerability in Jenkins.

Description

Remote code execution vulnerability in remoting module

SECURITY-360 / CVE-2016-9299

An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java object to the Jenkins CLI, making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms.

Severity

  • SECURITY-360 is considered critical as it allows unprivileged attackers to execute arbitrary code.

Affected versions

  • All Jenkins main line releases up to and including 2.31

  • All Jenkins LTS releases up to and including 2.19.2

Fix

  • Jenkins main line users should update to 2.32

  • Jenkins LTS users should update to 2.19.3

These versions include fixes to all the vulnerabilities described above. All prior versions are affected by these vulnerabilities.

Notes

As part of this fix, a number of other so-called "gadgets" were reviewed and are now also being prohibited. We tracked this activity as SECURITY-317.

Other resources