On February 1, 2017, Jenkins released a security vulnerability publication, which contains 18 security vulnerabilities of different levels. A high-severity vulnerability can cause Jenkins users to suffer from remote code execution attacks, which has serious security risks. Jenkins has released a new product version to fix this vulnerability.
See the following for more information about the vulnerability.
Jenkins remote code execution vulnerability
This vulnerability exists in XStream APIs, for example, XStream, createitem URL, and config.xml remote APIs. Attackers can exploit this vulnerability to start remote code execution attacks, and even obtain server permissions.
Condition and method of exploitation
This vulnerability can be exploited remotely.
- Jenkins version <= 2.43
- Jenkins LTS version <= 2.32.1
Check whether any affected version of Jenkins is used.
How to fix or mitigate
Configure a security group policy to control the Jenkins access scope. We recommend that the access permission be granted only to intranet or local administrators and releasing to Internet be prohibited.
Upgrade Jenkins to the latest version.
- Jenkins main line users must upgrade Jenkins to 2.44 or a later version.
- Jenkins LTS users must upgrade Jenkins to 2.32.2 or a later version.