This advisory announces the fix for a previously disclosed zero-day vulnerability in Jenkins.
Remote code execution vulnerability in remotingmodule
SECURITY-360 / CVE-2016-9299
An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java object to the Jenkins CLI, making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms.
The following versions incorporate fixes for the vulnerabilities found in Jenkins:
CloudBees Jenkins Operations Center 2.7.x.y (Rolling Train) should be upgraded to 184.108.40.206.
CloudBees Jenkins Operations Center 2.7.x.0.y (Fixed Train) should be upgraded to 220.127.116.11.1
CloudBees Jenkins Operations Center 1.625.x.y should be upgraded to 1.625.21.1
CloudBees Jenkins Enterprise 2.7.x.y (Rolling Train) should be upgraded to 18.104.22.168
CloudBees Jenkins Enterprise 2.7.x.0.y (Fixed Train) should be upgraded to 22.214.171.124.1
CloudBees Jenkins Enterprise 1.651.x.y should be upgraded to 1.651.21.1
CloudBees Jenkins Enterprise 1.642.x.y should be upgraded to 1.642.21.1
Jenkins LTS should be upgraded to 2.19.3
Jenkins main line should be upgraded to Jenkins 2.32
DEV@cloud is already protected
All previous releases are affected by these vulnerabilities.