Bug 1446114 (CVE-2017-1000353) - CVE-2017-1000353 jenkins: Unauthenticated remote code execution (SECURITY-429)
Summary: CVE-2017-1000353 jenkins: Unauthenticated remote code execution (SECURITY-429)
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-1000353
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1446133 1446134
Blocks: 1395176 1446135
TreeView+ depends on / blocked
 
Reported: 2017-04-27 09:45 UTC by Adam Mariš
Modified: 2021-08-27 18:32 UTC (History)
20 users (show)

Fixed In Version: jenkins 2.46.2, jenkins 2.57
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-05-20 21:16:24 UTC
Embargoed:

Attachments (Terms of Use)

Description Adam Mariš 2017-04-27 09:45:25 UTC 
An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blacklist-based protection mechanism.

SignedObject has been added to the remoting blacklist.

In Jenkins 2.54, the remoting-based CLI protocol was deprecated and a new, HTTP based protocol introduced as the new default, in addition to the existing SSH-based CLI. This feature has been backported to Jenkins 2.46.2. It is strongly recommended that users upgrading Jenkins disable the remoting-based CLI, and use the one of the other modes (HTTP or SSH) instead.

Affected versions:

    All Jenkins main line releases up to and including 2.56
    All Jenkins LTS releases up to and including 2.46.1

Fixed in:

    Jenkins main line users should update to 2.57
    Jenkins LTS users should update to 2.46.2

External Reference:

https://jenkins.io/security/advisory/2017-04-26/
Comment 1 Adam Mariš 2017-04-27 09:45:46 UTC 
Acknowledgments:

Name: the Jenkins project
Comment 2 Adam Mariš 2017-04-27 10:08:16 UTC 
Created jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1446133]
Affects: openshift-1 [bug 1446134]
Comment 4 Jason Shepherd 2018-03-15 07:42:40 UTC 
Openshift 2 is EOL: https://access.redhat.com/support/policy/updates/openshift

Fixed in Openshift 3.7, currently Jenkins latest is pointing to 3.10, see https://github.com/openshift/jenkins/blob/master/2/release.version
Comment 5 Jason Shepherd 2018-03-20 08:11:00 UTC 
To expand on the last comment. The rpm jenkins-2.46.3-1.el7.noarch included in this image, [1] was released after 2.46.2, and would be considered a newer release then Jenkins LTS 2.46.1

From, https://jenkins.io/doc/book/managing/cli/

"Use of the CLI client distributed with Jenkins 2.53 and older and Jenkins LTS 2.46.1 and older is not recommended for security reasons: while there are no currently known vulnerabilities, several have been reported and patched in the past, and the Jenkins Remoting protocol it uses is inherently vulnerable to remote code execution bugs, even “preauthentication” exploits (by anonymous users able to physically access the Jenkins network)."

I would consider CVE-2017-1000353 a "known vulnerability" by the definition in this paragraph.

[1] https://access.redhat.com/containers/?tab=security#/registry.access.redhat.com/openshift3/jenkins-2-rhel7/images/v3.6.173.0.96-11
Comment 6 Jason Shepherd 2018-03-21 01:59:52 UTC 
I used the test case here to verify this is fixed in Jenkins image with tag v3.6.173.0.96-11.

https://blogs.securiteam.com/index.php/archives/3171

Also uploading the test case to srtvulns/compoments/openshift/CVE-2017-1000353
Comment 7 Product Security DevOps Team 2020-05-20 21:16:24 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-1000353
Note You need to log in before you can comment on or make changes to this bug.