Also note that, if you're planning a Jenkins upgrade anyway, there's
another Jenkins release coming out tomorrow (1.625.3) to fix one or more
new security issues:
https://groups.google.com/forum/#!topic/jenkinsci-advisories/UbJeKl4Vxbw
So, you may want to apply the CLI workaround from the blog post that
Mark linked to just now, and do a full upgrade tomorrow (or more likely
Thursday, as releases seem to be done in US West Coast working hours).
Regards,
Chris
On 08/12/15 02:09, Mark Waite wrote:
> Yes, based
> on
https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli ,
> that is impacting Jenkins.
>
> The link you posted states that Jenkins is affected. It includes the
> link to the above Jenkins blog posting which describes a remediation you
> can take with your existing Jenkins version, and a statement that
> 1.625.2 includes the fix. If you read those two postings, you'll be
> able to answer your own questions, including describing the bug and its
> vulnerability (whatever that means to you).
>
> Never waste a crisis. In this case, use it as the opportunity to
> upgrade your environment to Java 8 (or at least to Java 7), and to
> install the latest Jenkins long term support release (1.625.2).
>
> Mark Waite
>
> On Mon, Dec 7, 2015 at 5:56 PM Indra Gunawan (ingunawa)
> <
ingu...@cisco.com <mailto:
ingu...@cisco.com>> wrote:
>
>
https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread
>
> Building on Frohoff's tool ysoserial
> <
https://github.com/frohoff/ysoserial>, Stephen Breen (@breenmachine
> <
https://twitter.com/breenmachine>) of Foxglove Security inspected
> various products like WebSphere, JBoss, Jenkins, WebLogic, and
> OpenNMS and describes
> (
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)
> for each of them various attack scenarios.
>
> Both research works show that developers put too much trust in Java
> Object Serialization. Some even de-serialize objects
> pre-authentication. When deserializing an Object in Java you
> typically cast it to an expected type, and therefore Java's strict
> type system will ensure you only get valid object trees.
> Unfortunately, by the time the type checking happens, platform code
> has already created and executed significant logic. So, before the
> final type is checked a lot of code is executed from the
> readObject() methods of various objects, all of which is out of the
> developer's control. By combining the readObject() methods of
> various classes which are available on the classpath of the
> vulnerable application an attacker can execute functions (including
> calling Runtime.exec() to execute local OS commands).
>
> The best protection against this, is to avoid using a complex
> serialization protocol with untrusted peers. It is possible to limit
> the impact when using a custom ObjectInputStream which
> overridesresolveClass
> <
http://docs.oracle.com/javase/7/docs/api/java/io/ObjectInputStream.html#resolveClass%28java.io.ObjectStreamClass%29> to
> implement a whitelist
> approach
http://www.ibm.com/developerworks/library/se-lookahead/.
> This might however not always be possible, such as when a framework
> or application server provides the endpoint. This is rather bad
> news, as there is no easy fix and applications need to revisit their
> client-server protocols and overall architecture.
>
> …
>
> Is this truly impacting Jenkins? Our IT suggests the following
> Jenkins version to upgrade before the end of year shut-down. I want
> to know the impact of this bug, and its vulnerability.
>
> Remediation:
>
> * Jenkins main line users should update to 1.638
> * Jenkins LTS users should update to 1.625.2
>
>
> Thank you
> -Indra
>
> --
> You received this message because you are subscribed to the Google
> Groups "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to
jenkinsci-use...@googlegroups.com
> <mailto:
jenkinsci-use...@googlegroups.com>.
> <
https://groups.google.com/d/msgid/jenkinsci-users/D28B6AAB.3D25B%25ingunawa%40cisco.com?utm_medium=email&utm_source=footer>.
> --
> You received this message because you are subscribed to the Google
> Groups "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to
jenkinsci-use...@googlegroups.com
> <mailto:
jenkinsci-use...@googlegroups.com>.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtF%3D%2BmqQAdL-5wMUJKPrhAZwaQocdyLmyqh9h%3D81MO8Dvg%40mail.gmail.com
> <
https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtF%3D%2BmqQAdL-5wMUJKPrhAZwaQocdyLmyqh9h%3D81MO8Dvg%40mail.gmail.com?utm_medium=email&utm_source=footer>.