This article is more than 1 year old
Jenkins admin? Get buzzy patching, says Cloudbees
DevOps types are going to have to prioritise Ops for a bit to quash Java, login vulns
Cloudbees's Jenkins needs a patch against a Java deserialisation vulnerability.
The bug, CVE-2017-1000353, exists in how Jenkins implements HTTP upload/download requests.
The bug lets an attacker exploit a serialised object in the preamble of commands sent to the CLI. As described by Securiteam, “since Jenkins does not validate the serialised object, any serialise[d] object can be sent.”
The attacker can use the channel to send SignedObject
to the CLI. Jenkins deserialises it using a new ObjectInputStream
, which the company says bypasses its blacklist-based protection mechanism.
To block it, Cloudbees has added SignedObject
to its blacklist.
To test the vulnerability for yourself, the bug report suggests the following:
- Create a serialised object whose payload is a command executed by running the
payload.jar
script; - Change the Python script
jenkins_poc1.py
to adjust the target target URL, and open your payload file.
The fix is published along with a number of other bug-fixes here.
Also fixed in the patch are various cross-site request forgery bugs, a login impersonation bug, and a Java crash-fix. ®