Bug 1395172 (CVE-2016-9299)

Summary: CVE-2016-9299 jenkins: Java deserialization flaw leads to RCE
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, bleanhar, ccoleman, dedgar, dmcphers, java-sig-commits, jgoulding, jialiu, joelsmith, jokerman, lmeyer, mizdebsk, mmccomas, msrb, tdawson, tiwillia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 11:47:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1395173, 1395174    
Bug Blocks: 1395176    

Description Adam Mariš 2016-11-15 10:41:46 UTC 
An unauthenticated remote code execution vulnerability was discovered in the Jenkins continuous integration and continuous delivery automation server. A serialized Java object transferred to the Jenkins CLI can make Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms.

Upstream advisory:

https://groups.google.com/forum/#!msg/jenkinsci-advisories/-fc-w9tNEJE/GRvEzWoJBgAJ

CVE assignment:

http://seclists.org/oss-sec/2016/q4/423


Mitigation:

https://github.com/jenkinsci-cert/SECURITY-218
Comment 2 Adam Mariš 2016-11-15 10:42:38 UTC 
Created jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1395174]
Comment 3 Andrej Nemec 2016-11-18 10:15:15 UTC 
External References:

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16
Comment 4 Trevor Jay 2016-11-21 04:30:47 UTC 
I've looked at our Jenkins container images (from/for OpenShift) and I am *not* recommending respins of those images.

While mentioned in the `EXPOSE` list, port 50000 (the CLI port) is only available to the outside world if the user either explicitly maps it (`-p 50000:X`) or uses the always-a-bad-idea `-P`. In OpenShift, port 50000 is not automatically exposed via `oc expose svc/jenkins-X-rhel7` as only the web interface (8080) is listed in the `openshift.io.expose-services` label and routed to.

In other words: the CLI is by default only exposed within the private network on vanilla Docker and only within the cluster by default on vanilla OpenShift. This lowers the risk to moderate within these context and---in my judgement---below the threshold needed to require respins.

_Trevor