Jenkins Security Advisory 2016-11-16

This advisory announces the fix for a previously disclosed zero-day vulnerability in Jenkins.

Remote code execution vulnerability in remoting module

SECURITY-360 / CVE-2016-9299

An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java object to the Jenkins CLI, making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms.

Severity: 
  • SECURITY-360 is considered critical as it allows unprivileged attackers to execute arbitrary code.
Fix: 

The following versions incorporate fixes for the vulnerabilities found in Jenkins:

  • CloudBees Jenkins Operations Center 2.7.x.y (Rolling Train) should be upgraded to 2.7.21.1.
  • CloudBees Jenkins Operations Center 2.7.x.0.y (Fixed Train) should be upgraded to 2.7.21.0.1
  • CloudBees Jenkins Operations Center 1.625.x.y should be upgraded to 1.625.21.1
  • CloudBees Jenkins Enterprise 2.7.x.y (Rolling Train) should be upgraded to 2.7.21.1
  • CloudBees Jenkins Enterprise 2.7.x.0.y (Fixed Train) should be upgraded to 2.7.21.0.1
  • CloudBees Jenkins Enterprise 1.651.x.y should be upgraded to 1.651.21.1
  • CloudBees Jenkins Enterprise 1.642.x.y should be upgraded to 1.642.21.1
  • Jenkins LTS should be upgraded to 2.19.3
  • Jenkins main line should be upgraded to Jenkins 2.32
  • DEV@cloud is already protected

All previous releases are affected by these vulnerabilities.