This advisory announces the fix for a previously disclosed zero-day vulnerability in Jenkins.
Remote code execution vulnerability in remoting module
SECURITY-360 / CVE-2016-9299
An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java object to the Jenkins CLI, making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms.
The following versions incorporate fixes for the vulnerabilities found in Jenkins:
- CloudBees Jenkins Operations Center 2.7.x.y (Rolling Train) should be upgraded to 188.8.131.52.
- CloudBees Jenkins Operations Center 2.7.x.0.y (Fixed Train) should be upgraded to 184.108.40.206.1
- CloudBees Jenkins Operations Center 1.625.x.y should be upgraded to 1.625.21.1
- CloudBees Jenkins Enterprise 2.7.x.y (Rolling Train) should be upgraded to 220.127.116.11
- CloudBees Jenkins Enterprise 2.7.x.0.y (Fixed Train) should be upgraded to 18.104.22.168.1
- CloudBees Jenkins Enterprise 1.651.x.y should be upgraded to 1.651.21.1
- CloudBees Jenkins Enterprise 1.642.x.y should be upgraded to 1.642.21.1
- Jenkins LTS should be upgraded to 2.19.3
- Jenkins main line should be upgraded to Jenkins 2.32
- DEV@cloud is already protected
All previous releases are affected by these vulnerabilities.