Bug 1395172 (CVE-2016-9299) - CVE-2016-9299 jenkins: Java deserialization flaw leads to RCE
Summary: CVE-2016-9299 jenkins: Java deserialization flaw leads to RCE
Status: NEW
Alias: CVE-2016-9299
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20161111,repo...
Keywords: Security
Depends On: 1395173 1395174
Blocks: 1395176
TreeView+ depends on / blocked
 
Reported: 2016-11-15 10:41 UTC by Adam Mariš
Modified: 2019-06-08 21:34 UTC (History)
17 users (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Adam Mariš 2016-11-15 10:41:46 UTC
An unauthenticated remote code execution vulnerability was discovered in the Jenkins continuous integration and continuous delivery automation server. A serialized Java object transferred to the Jenkins CLI can make Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms.

Upstream advisory:

https://groups.google.com/forum/#!msg/jenkinsci-advisories/-fc-w9tNEJE/GRvEzWoJBgAJ

CVE assignment:

http://seclists.org/oss-sec/2016/q4/423


Mitigation:

https://github.com/jenkinsci-cert/SECURITY-218

Comment 2 Adam Mariš 2016-11-15 10:42:38 UTC
Created jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1395174]

Comment 3 Andrej Nemec 2016-11-18 10:15:15 UTC
External References:

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16

Comment 4 Trevor Jay 2016-11-21 04:30:47 UTC
I've looked at our Jenkins container images (from/for OpenShift) and I am *not* recommending respins of those images.

While mentioned in the `EXPOSE` list, port 50000 (the CLI port) is only available to the outside world if the user either explicitly maps it (`-p 50000:X`) or uses the always-a-bad-idea `-P`. In OpenShift, port 50000 is not automatically exposed via `oc expose svc/jenkins-X-rhel7` as only the web interface (8080) is listed in the `openshift.io.expose-services` label and routed to.

In other words: the CLI is by default only exposed within the private network on vanilla Docker and only within the cluster by default on vanilla OpenShift. This lowers the risk to moderate within these context and---in my judgement---below the threshold needed to require respins.

_Trevor


Note You need to log in before you can comment on or make changes to this bug.