Security Advisories
Jenkins Security Advisory2016-11-16
This advisory announces vulnerabilities in
,
and
CloudBees CI

This advisory announces the fix for a previously disclosed zero-day vulnerability in Jenkins.
Remote code execution vulnerability in remotingmodule
SECURITY-360 / CVE-2016-9299
An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java object to the Jenkins CLI, making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms.
Note
Warning
Severity
- SECURITY-360 is considered critical as it allows unprivileged attackers to execute arbitrary code.
Fix
The following versions incorporate fixes for the vulnerabilities found in Jenkins:
- CloudBees Jenkins Operations Center 2.7.x.y (Rolling Train) should be upgraded to 2.7.21.1.
- CloudBees Jenkins Operations Center 2.7.x.0.y (Fixed Train) should be upgraded to 2.7.21.0.1
- CloudBees Jenkins Operations Center 1.625.x.y should be upgraded to 1.625.21.1
- CloudBees Jenkins Enterprise 2.7.x.y (Rolling Train) should be upgraded to 2.7.21.1
- CloudBees Jenkins Enterprise 2.7.x.0.y (Fixed Train) should be upgraded to 2.7.21.0.1
- CloudBees Jenkins Enterprise 1.651.x.y should be upgraded to 1.651.21.1
- CloudBees Jenkins Enterprise 1.642.x.y should be upgraded to 1.642.21.1
- Jenkins LTS should be upgraded to 2.19.3
- Jenkins main line should be upgraded to Jenkins 2.32
- DEV@cloud is already protected
All previous releases are affected by these vulnerabilities.