Jenkins Security Advisory 2015-11-06

This security advisory involves the Jenkins CLI.

SECURITY 218

CloudBees Product Security has been made aware of a remote code execution vulnerability mountable by anonymous attacker who have access to Jenkins over HTTP or its TCP port.

Impact

The [Jenkins CLI](https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+CLI) is currently impacted by this issue.

An unprivileged anonymous user could use this flaw to remotely execute code. Anyone with a front facing Jenkins instance (accessible through the internet even through a reverse proxy) is vulnerable to the attack.

All CloudBees Jenkins on-premise installations are vulnerable to this flaw.

Determining Vulnerability

TBD

Mitigation

[SECURITY] (https://github.com/jenkinsci-cert/SECURITY-218) provides a Groovy script that will disable CLI communication entirely.

This will disable all CLI communication.

Resolution

We are currently investigating a permanent resolution to this issue.

Additional Information

This post will be updated as soon as any change in status is available.

For any additional questions please contact CloudBees Support at http://support.cloudbees.com

The Jenkins Community announcement can be found here: https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli