Jenkins multiple Vulnerability
On April 26, 2017, software integration platform Jenkins official issued a security notice, including the update repair, repair a number of security vulnerabilities (CVE-2017-1000356, CVE- 2017-1000353, CVE-2017-1000354, CVE-2017-1000355).
A brief description of the vulnerability
CVE-2017-1000356
Contains multiple CSRF vulnerabilities that can cause Jenkins to restart immediately or delay, remove all configured update sites, install and load any plugins available on the configured update site, change the Jenkins system, security and tool configuration, or create a new agent Wait.
CVE-2017-1000353
The vulnerability could allow an attacker to override the code remotely and transfer the serialized Java SignedObject object to the remoting-based Jenkins CLI, using the new deserialize ObjectInputStream to bypass the existing blacklist-based protection mechanism.
CVE-2017-1000354
The remote CLI stores the encrypted login information of the previously authenticated user in a cache file that can be used to validate further commands. Users who have created secret permissions at Jenkins can use this vulnerability to impersonate any other Jenkins users under the same instance.
CVE-2017-1000355
Jenkins uses the XStream library to serialize and deserialize XML. Its maintainers have recently released a security hole, any can provide Jenkins and use XStream users can make the Java process crash. In Jenkins, this usually applies to users who have permission to create or configure a project (job), view, or proxy.
For specific vulnerability information , please refer to the following link: https://jenkins.io/security/advisory/2017-04-26/
Affected version
- Jenkins Version <= 2.56
- Jenkins LTS Version <= 2.46.1
Unaffected version
- Jenkins Version 2.57
- Jenkins LTS Version 2.46.2
To circumvent the program
Jenkins official has provided a new version to fix the above loopholes, please affected users as soon as possible to upgrade to the new version, download the link as follows:
Reference link:
http://www.securityfocus.com/bid/98056/info