As somebody on the jenkins-cert list, I highly recommend upgrading to 1.625.3
On 8 December 2015 at 07:41, Christopher Orr <ch...@orr.me.uk> wrote: > Also note that, if you're planning a Jenkins upgrade anyway, there's > another Jenkins release coming out tomorrow (1.625.3) to fix one or more > new security issues: > https://groups.google.com/forum/#!topic/jenkinsci-advisories/UbJeKl4Vxbw > > So, you may want to apply the CLI workaround from the blog post that > Mark linked to just now, and do a full upgrade tomorrow (or more likely > Thursday, as releases seem to be done in US West Coast working hours). > > Regards, > Chris > > > On 08/12/15 02:09, Mark Waite wrote: > > Yes, based > > on > https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli > , > > that is impacting Jenkins. > > > > The link you posted states that Jenkins is affected. It includes the > > link to the above Jenkins blog posting which describes a remediation you > > can take with your existing Jenkins version, and a statement that > > 1.625.2 includes the fix. If you read those two postings, you'll be > > able to answer your own questions, including describing the bug and its > > vulnerability (whatever that means to you). > > > > Never waste a crisis. In this case, use it as the opportunity to > > upgrade your environment to Java 8 (or at least to Java 7), and to > > install the latest Jenkins long term support release (1.625.2). > > > > Mark Waite > > > > On Mon, Dec 7, 2015 at 5:56 PM Indra Gunawan (ingunawa) > > <ingun...@cisco.com <mailto:ingun...@cisco.com>> wrote: > > > > > https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread > > > > Building on Frohoff's tool ysoserial > > <https://github.com/frohoff/ysoserial>, Stephen Breen (@breenmachine > > <https://twitter.com/breenmachine>) of Foxglove Security inspected > > various products like WebSphere, JBoss, Jenkins, WebLogic, and > > OpenNMS and describes > > ( > http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ > ) > > for each of them various attack scenarios. > > > > Both research works show that developers put too much trust in Java > > Object Serialization. Some even de-serialize objects > > pre-authentication. When deserializing an Object in Java you > > typically cast it to an expected type, and therefore Java's strict > > type system will ensure you only get valid object trees. > > Unfortunately, by the time the type checking happens, platform code > > has already created and executed significant logic. So, before the > > final type is checked a lot of code is executed from the > > readObject() methods of various objects, all of which is out of the > > developer's control. By combining the readObject() methods of > > various classes which are available on the classpath of the > > vulnerable application an attacker can execute functions (including > > calling Runtime.exec() to execute local OS commands). > > > > The best protection against this, is to avoid using a complex > > serialization protocol with untrusted peers. It is possible to limit > > the impact when using a custom ObjectInputStream which > > overridesresolveClass > > < > http://docs.oracle.com/javase/7/docs/api/java/io/ObjectInputStream.html#resolveClass%28java.io.ObjectStreamClass%29> > to > > implement a whitelist > > approach http://www.ibm.com/developerworks/library/se-lookahead/. > > This might however not always be possible, such as when a framework > > or application server provides the endpoint. This is rather bad > > news, as there is no easy fix and applications need to revisit their > > client-server protocols and overall architecture. > > > > … > > > > Is this truly impacting Jenkins? Our IT suggests the following > > Jenkins version to upgrade before the end of year shut-down. I want > > to know the impact of this bug, and its vulnerability. > > > > Remediation: > > > > * Jenkins main line users should update to 1.638 > > * Jenkins LTS users should update to 1.625.2 > > > > > > Thank you > > -Indra > > > > -- > > You received this message because you are subscribed to the Google > > Groups "Jenkins Users" group. > > To unsubscribe from this group and stop receiving emails from it, > > send an email to jenkinsci-users+unsubscr...@googlegroups.com > > <mailto:jenkinsci-users+unsubscr...@googlegroups.com>. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/jenkinsci-users/D28B6AAB.3D25B%25ingunawa%40cisco.com > > < > https://groups.google.com/d/msgid/jenkinsci-users/D28B6AAB.3D25B%25ingunawa%40cisco.com?utm_medium=email&utm_source=footer > >. > > For more options, visit https://groups.google.com/d/optout. > > > > -- > > You received this message because you are subscribed to the Google > > Groups "Jenkins Users" group. > > To unsubscribe from this group and stop receiving emails from it, send > > an email to jenkinsci-users+unsubscr...@googlegroups.com > > <mailto:jenkinsci-users+unsubscr...@googlegroups.com>. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtF%3D%2BmqQAdL-5wMUJKPrhAZwaQocdyLmyqh9h%3D81MO8Dvg%40mail.gmail.com > > < > https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtF%3D%2BmqQAdL-5wMUJKPrhAZwaQocdyLmyqh9h%3D81MO8Dvg%40mail.gmail.com?utm_medium=email&utm_source=footer > >. > > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/5666899D.7020708%40orr.me.uk > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CA%2BnPnMz-tq6cA3ep6cGdKtaEvmFWhucF2mHG%2BQtpH_8yQAy%2Bbg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
