On February 1, 2017, Jenkins released a security vulnerability publication, which contains 18 security vulnerabilities of different levels. A high-severity vulnerability can cause Jenkins users to suffer from remote code execution attacks, which has serious security risks. Jenkins has released a new product version to fix this vulnerability.
See the following for more information about the vulnerability.
CVE identifier
CVE-2017-2608
Vulnerability name
Jenkins remote code execution vulnerability
Vulnerability rating
High
Vulnerability description
This vulnerability exists in XStream APIs, for example, XStream, createitem URL, and config.xml remote APIs. Attackers can exploit this vulnerability to start remote code execution attacks, and even obtain server permissions.
Condition and method of exploitation
This vulnerability can be exploited remotely.
Affected scope
- Jenkins version <= 2.43
- Jenkins LTS version <= 2.32.1
Vulnerability detection
Check whether any affected version of Jenkins is used.
How to fix or mitigate
Configure a security group policy to control the Jenkins access scope. We recommend that the access permission be granted only to intranet or local administrators and releasing to Internet be prohibited.
Upgrade Jenkins to the latest version.
- Jenkins main line users must upgrade Jenkins to 2.44 or a later version.
- Jenkins LTS users must upgrade Jenkins to 2.32.2 or a later version.
Reference
[1]. https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01