An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blacklist-based protection mechanism. SignedObject has been added to the remoting blacklist. In Jenkins 2.54, the remoting-based CLI protocol was deprecated and a new, HTTP based protocol introduced as the new default, in addition to the existing SSH-based CLI. This feature has been backported to Jenkins 2.46.2. It is strongly recommended that users upgrading Jenkins disable the remoting-based CLI, and use the one of the other modes (HTTP or SSH) instead. Affected versions: All Jenkins main line releases up to and including 2.56 All Jenkins LTS releases up to and including 2.46.1 Fixed in: Jenkins main line users should update to 2.57 Jenkins LTS users should update to 2.46.2 External Reference: https://jenkins.io/security/advisory/2017-04-26/
Acknowledgments: Name: the Jenkins project
Created jenkins tracking bugs for this issue: Affects: fedora-all [bug 1446133] Affects: openshift-1 [bug 1446134]
Openshift 2 is EOL: https://access.redhat.com/support/policy/updates/openshift Fixed in Openshift 3.7, currently Jenkins latest is pointing to 3.10, see https://github.com/openshift/jenkins/blob/master/2/release.version
To expand on the last comment. The rpm jenkins-2.46.3-1.el7.noarch included in this image, [1] was released after 2.46.2, and would be considered a newer release then Jenkins LTS 2.46.1 From, https://jenkins.io/doc/book/managing/cli/ "Use of the CLI client distributed with Jenkins 2.53 and older and Jenkins LTS 2.46.1 and older is not recommended for security reasons: while there are no currently known vulnerabilities, several have been reported and patched in the past, and the Jenkins Remoting protocol it uses is inherently vulnerable to remote code execution bugs, even “preauthentication” exploits (by anonymous users able to physically access the Jenkins network)." I would consider CVE-2017-1000353 a "known vulnerability" by the definition in this paragraph. [1] https://access.redhat.com/containers/?tab=security#/registry.access.redhat.com/openshift3/jenkins-2-rhel7/images/v3.6.173.0.96-11
I used the test case here to verify this is fixed in Jenkins image with tag v3.6.173.0.96-11. https://blogs.securiteam.com/index.php/archives/3171 Also uploading the test case to srtvulns/compoments/openshift/CVE-2017-1000353
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2017-1000353