Bug 1446114 (CVE-2017-1000353)

Summary: CVE-2017-1000353 jenkins: Unauthenticated remote code execution (SECURITY-429)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, ahardin, bleanhar, ccoleman, dbaker, dedgar, dmcphers, java-sig-commits, jgoulding, jkeck, joelsmith, jokerman, jshepherd, mchappel, mizdebsk, mpark, msrb, ngaywood, tdawson, tiwillia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jenkins 2.46.2, jenkins 2.57 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-20 21:16:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1446133, 1446134    
Bug Blocks: 1395176, 1446135    

Description Adam Mariš 2017-04-27 09:45:25 UTC
An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blacklist-based protection mechanism.

SignedObject has been added to the remoting blacklist.

In Jenkins 2.54, the remoting-based CLI protocol was deprecated and a new, HTTP based protocol introduced as the new default, in addition to the existing SSH-based CLI. This feature has been backported to Jenkins 2.46.2. It is strongly recommended that users upgrading Jenkins disable the remoting-based CLI, and use the one of the other modes (HTTP or SSH) instead.

Affected versions:

    All Jenkins main line releases up to and including 2.56
    All Jenkins LTS releases up to and including 2.46.1

Fixed in:

    Jenkins main line users should update to 2.57
    Jenkins LTS users should update to 2.46.2

External Reference:

https://jenkins.io/security/advisory/2017-04-26/

Comment 1 Adam Mariš 2017-04-27 09:45:46 UTC
Acknowledgments:

Name: the Jenkins project

Comment 2 Adam Mariš 2017-04-27 10:08:16 UTC
Created jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1446133]
Affects: openshift-1 [bug 1446134]

Comment 4 Jason Shepherd 2018-03-15 07:42:40 UTC
Openshift 2 is EOL: https://access.redhat.com/support/policy/updates/openshift

Fixed in Openshift 3.7, currently Jenkins latest is pointing to 3.10, see https://github.com/openshift/jenkins/blob/master/2/release.version

Comment 5 Jason Shepherd 2018-03-20 08:11:00 UTC
To expand on the last comment. The rpm jenkins-2.46.3-1.el7.noarch included in this image, [1] was released after 2.46.2, and would be considered a newer release then Jenkins LTS 2.46.1

From, https://jenkins.io/doc/book/managing/cli/

"Use of the CLI client distributed with Jenkins 2.53 and older and Jenkins LTS 2.46.1 and older is not recommended for security reasons: while there are no currently known vulnerabilities, several have been reported and patched in the past, and the Jenkins Remoting protocol it uses is inherently vulnerable to remote code execution bugs, even “preauthentication” exploits (by anonymous users able to physically access the Jenkins network)."

I would consider CVE-2017-1000353 a "known vulnerability" by the definition in this paragraph.

[1] https://access.redhat.com/containers/?tab=security#/registry.access.redhat.com/openshift3/jenkins-2-rhel7/images/v3.6.173.0.96-11

Comment 6 Jason Shepherd 2018-03-21 01:59:52 UTC
I used the test case here to verify this is fixed in Jenkins image with tag v3.6.173.0.96-11.

https://blogs.securiteam.com/index.php/archives/3171

Also uploading the test case to srtvulns/compoments/openshift/CVE-2017-1000353

Comment 7 Product Security DevOps Team 2020-05-20 21:16:24 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-1000353