Also note that, if you're planning a Jenkins upgrade anyway, there's another Jenkins release coming out tomorrow (1.625.3) to fix one or more new security issues: https://groups.google.com/forum/#!topic/jenkinsci-advisories/UbJeKl4Vxbw
So, you may want to apply the CLI workaround from the blog post that Mark linked to just now, and do a full upgrade tomorrow (or more likely Thursday, as releases seem to be done in US West Coast working hours). Regards, Chris On 08/12/15 02:09, Mark Waite wrote: > Yes, based > on > https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli > , > that is impacting Jenkins. > > The link you posted states that Jenkins is affected. It includes the > link to the above Jenkins blog posting which describes a remediation you > can take with your existing Jenkins version, and a statement that > 1.625.2 includes the fix. If you read those two postings, you'll be > able to answer your own questions, including describing the bug and its > vulnerability (whatever that means to you). > > Never waste a crisis. In this case, use it as the opportunity to > upgrade your environment to Java 8 (or at least to Java 7), and to > install the latest Jenkins long term support release (1.625.2). > > Mark Waite > > On Mon, Dec 7, 2015 at 5:56 PM Indra Gunawan (ingunawa) > <[email protected] <mailto:[email protected]>> wrote: > > > https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread > > Building on Frohoff's tool ysoserial > <https://github.com/frohoff/ysoserial>, Stephen Breen (@breenmachine > <https://twitter.com/breenmachine>) of Foxglove Security inspected > various products like WebSphere, JBoss, Jenkins, WebLogic, and > OpenNMS and describes > > (http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/) > for each of them various attack scenarios. > > Both research works show that developers put too much trust in Java > Object Serialization. Some even de-serialize objects > pre-authentication. When deserializing an Object in Java you > typically cast it to an expected type, and therefore Java's strict > type system will ensure you only get valid object trees. > Unfortunately, by the time the type checking happens, platform code > has already created and executed significant logic. So, before the > final type is checked a lot of code is executed from the > readObject() methods of various objects, all of which is out of the > developer's control. By combining the readObject() methods of > various classes which are available on the classpath of the > vulnerable application an attacker can execute functions (including > calling Runtime.exec() to execute local OS commands). > > The best protection against this, is to avoid using a complex > serialization protocol with untrusted peers. It is possible to limit > the impact when using a custom ObjectInputStream which > overridesresolveClass > > <http://docs.oracle.com/javase/7/docs/api/java/io/ObjectInputStream.html#resolveClass%28java.io.ObjectStreamClass%29> > to > implement a whitelist > approach http://www.ibm.com/developerworks/library/se-lookahead/. > This might however not always be possible, such as when a framework > or application server provides the endpoint. This is rather bad > news, as there is no easy fix and applications need to revisit their > client-server protocols and overall architecture. > > … > > Is this truly impacting Jenkins? Our IT suggests the following > Jenkins version to upgrade before the end of year shut-down. I want > to know the impact of this bug, and its vulnerability. > > Remediation: > > * Jenkins main line users should update to 1.638 > * Jenkins LTS users should update to 1.625.2 > > > Thank you > -Indra > > -- > You received this message because you are subscribed to the Google > Groups "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > > https://groups.google.com/d/msgid/jenkinsci-users/D28B6AAB.3D25B%25ingunawa%40cisco.com > > <https://groups.google.com/d/msgid/jenkinsci-users/D28B6AAB.3D25B%25ingunawa%40cisco.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google > Groups "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtF%3D%2BmqQAdL-5wMUJKPrhAZwaQocdyLmyqh9h%3D81MO8Dvg%40mail.gmail.com > <https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtF%3D%2BmqQAdL-5wMUJKPrhAZwaQocdyLmyqh9h%3D81MO8Dvg%40mail.gmail.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/5666899D.7020708%40orr.me.uk. For more options, visit https://groups.google.com/d/optout.
