Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1446114 - (CVE-2017-1000353) CVE-2017-1000353 jenkins: Unauthenticated remote code execution (SECURITY-429)
CVE-2017-1000353 jenkins: Unauthenticated remote code execution (SECURITY-429)
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20170426,repo...
: Security
Depends On: 1446133 1446134
Blocks: 1395176 1446135
  Show dependency treegraph
 
Reported: 2017-04-27 05:45 EDT by Adam Mariš
Modified: 2018-06-29 18:20 EDT (History)
20 users (show)

See Also:
Fixed In Version: jenkins 2.46.2, jenkins 2.57
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Adam Mariš 2017-04-27 05:45:25 EDT 
An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blacklist-based protection mechanism.

SignedObject has been added to the remoting blacklist.

In Jenkins 2.54, the remoting-based CLI protocol was deprecated and a new, HTTP based protocol introduced as the new default, in addition to the existing SSH-based CLI. This feature has been backported to Jenkins 2.46.2. It is strongly recommended that users upgrading Jenkins disable the remoting-based CLI, and use the one of the other modes (HTTP or SSH) instead.

Affected versions:

    All Jenkins main line releases up to and including 2.56
    All Jenkins LTS releases up to and including 2.46.1

Fixed in:

    Jenkins main line users should update to 2.57
    Jenkins LTS users should update to 2.46.2

External Reference:

https://jenkins.io/security/advisory/2017-04-26/
Comment 1 Adam Mariš 2017-04-27 05:45:46 EDT 
Acknowledgments:

Name: the Jenkins project
Comment 2 Adam Mariš 2017-04-27 06:08:16 EDT 
Created jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1446133]
Affects: openshift-1 [bug 1446134]
Comment 4 Jason Shepherd 2018-03-15 03:42:40 EDT 
Openshift 2 is EOL: https://access.redhat.com/support/policy/updates/openshift

Fixed in Openshift 3.7, currently Jenkins latest is pointing to 3.10, see https://github.com/openshift/jenkins/blob/master/2/release.version
Comment 5 Jason Shepherd 2018-03-20 04:11:00 EDT 
To expand on the last comment. The rpm jenkins-2.46.3-1.el7.noarch included in this image, [1] was released after 2.46.2, and would be considered a newer release then Jenkins LTS 2.46.1

From, https://jenkins.io/doc/book/managing/cli/

"Use of the CLI client distributed with Jenkins 2.53 and older and Jenkins LTS 2.46.1 and older is not recommended for security reasons: while there are no currently known vulnerabilities, several have been reported and patched in the past, and the Jenkins Remoting protocol it uses is inherently vulnerable to remote code execution bugs, even “preauthentication” exploits (by anonymous users able to physically access the Jenkins network)."

I would consider CVE-2017-1000353 a "known vulnerability" by the definition in this paragraph.

[1] https://access.redhat.com/containers/?tab=security#/registry.access.redhat.com/openshift3/jenkins-2-rhel7/images/v3.6.173.0.96-11
Comment 6 Jason Shepherd 2018-03-20 21:59:52 EDT 
I used the test case here to verify this is fixed in Jenkins image with tag v3.6.173.0.96-11.

https://blogs.securiteam.com/index.php/archives/3171

Also uploading the test case to srtvulns/compoments/openshift/CVE-2017-1000353
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.