As somebody on the jenkins-cert list, I highly recommend upgrading to 1.625.3
On 8 December 2015 at 07:41, Christopher Orr <[email protected]> wrote: > Also note that, if you're planning a Jenkins upgrade anyway, there's > another Jenkins release coming out tomorrow (1.625.3) to fix one or more > new security issues: > https://groups.google.com/forum/#!topic/jenkinsci-advisories/UbJeKl4Vxbw > > So, you may want to apply the CLI workaround from the blog post that > Mark linked to just now, and do a full upgrade tomorrow (or more likely > Thursday, as releases seem to be done in US West Coast working hours). > > Regards, > Chris > > > On 08/12/15 02:09, Mark Waite wrote: > > Yes, based > > on > https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli > , > > that is impacting Jenkins. > > > > The link you posted states that Jenkins is affected. It includes the > > link to the above Jenkins blog posting which describes a remediation you > > can take with your existing Jenkins version, and a statement that > > 1.625.2 includes the fix. If you read those two postings, you'll be > > able to answer your own questions, including describing the bug and its > > vulnerability (whatever that means to you). > > > > Never waste a crisis. In this case, use it as the opportunity to > > upgrade your environment to Java 8 (or at least to Java 7), and to > > install the latest Jenkins long term support release (1.625.2). > > > > Mark Waite > > > > On Mon, Dec 7, 2015 at 5:56 PM Indra Gunawan (ingunawa) > > <[email protected] <mailto:[email protected]>> wrote: > > > > > https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread > > > > Building on Frohoff's tool ysoserial > > <https://github.com/frohoff/ysoserial>, Stephen Breen (@breenmachine > > <https://twitter.com/breenmachine>) of Foxglove Security inspected > > various products like WebSphere, JBoss, Jenkins, WebLogic, and > > OpenNMS and describes > > ( > http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ > ) > > for each of them various attack scenarios. > > > > Both research works show that developers put too much trust in Java > > Object Serialization. Some even de-serialize objects > > pre-authentication. When deserializing an Object in Java you > > typically cast it to an expected type, and therefore Java's strict > > type system will ensure you only get valid object trees. > > Unfortunately, by the time the type checking happens, platform code > > has already created and executed significant logic. So, before the > > final type is checked a lot of code is executed from the > > readObject() methods of various objects, all of which is out of the > > developer's control. By combining the readObject() methods of > > various classes which are available on the classpath of the > > vulnerable application an attacker can execute functions (including > > calling Runtime.exec() to execute local OS commands). > > > > The best protection against this, is to avoid using a complex > > serialization protocol with untrusted peers. It is possible to limit > > the impact when using a custom ObjectInputStream which > > overridesresolveClass > > < > http://docs.oracle.com/javase/7/docs/api/java/io/ObjectInputStream.html#resolveClass%28java.io.ObjectStreamClass%29> > to > > implement a whitelist > > approach http://www.ibm.com/developerworks/library/se-lookahead/. > > This might however not always be possible, such as when a framework > > or application server provides the endpoint. This is rather bad > > news, as there is no easy fix and applications need to revisit their > > client-server protocols and overall architecture. > > > > … > > > > Is this truly impacting Jenkins? Our IT suggests the following > > Jenkins version to upgrade before the end of year shut-down. I want > > to know the impact of this bug, and its vulnerability. > > > > Remediation: > > > > * Jenkins main line users should update to 1.638 > > * Jenkins LTS users should update to 1.625.2 > > > > > > Thank you > > -Indra > > > > -- > > You received this message because you are subscribed to the Google > > Groups "Jenkins Users" group. > > To unsubscribe from this group and stop receiving emails from it, > > send an email to [email protected] > > <mailto:[email protected]>. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/jenkinsci-users/D28B6AAB.3D25B%25ingunawa%40cisco.com > > < > https://groups.google.com/d/msgid/jenkinsci-users/D28B6AAB.3D25B%25ingunawa%40cisco.com?utm_medium=email&utm_source=footer > >. > > For more options, visit https://groups.google.com/d/optout. > > > > -- > > You received this message because you are subscribed to the Google > > Groups "Jenkins Users" group. > > To unsubscribe from this group and stop receiving emails from it, send > > an email to [email protected] > > <mailto:[email protected]>. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtF%3D%2BmqQAdL-5wMUJKPrhAZwaQocdyLmyqh9h%3D81MO8Dvg%40mail.gmail.com > > < > https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtF%3D%2BmqQAdL-5wMUJKPrhAZwaQocdyLmyqh9h%3D81MO8Dvg%40mail.gmail.com?utm_medium=email&utm_source=footer > >. > > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/5666899D.7020708%40orr.me.uk > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CA%2BnPnMz-tq6cA3ep6cGdKtaEvmFWhucF2mHG%2BQtpH_8yQAy%2Bbg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
