Jenkins admin? Get buzzy patching, says Cloudbees

DevOps types are going to have to prioritise Ops for a bit to quash Java, login vulns

Cloudbees's Jenkins needs a patch against a Java deserialisation vulnerability.

The bug, CVE-2017-1000353, exists in how Jenkins implements HTTP upload/download requests.

The bug lets an attacker exploit a serialised object in the preamble of commands sent to the CLI. As described by Securiteam, “since Jenkins does not validate the serialised object, any serialise[d] object can be sent.”

The attacker can use the channel to send SignedObject to the CLI. Jenkins deserialises it using a new ObjectInputStream, which the company says bypasses its blacklist-based protection mechanism.

To block it, Cloudbees has added SignedObject to its blacklist.

To test the vulnerability for yourself, the bug report suggests the following:

  • Create a serialised object whose payload is a command executed by running the payload.jar script;
  • Change the Python script jenkins_poc1.py to adjust the target target URL, and open your payload file.

The fix is published along with a number of other bug-fixes here.

Also fixed in the patch are various cross-site request forgery bugs, a login impersonation bug, and a Java crash-fix. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017