edit-icon download-icon

[Vulnerability notice] CVE-2017-2608: Remote code execution vulnerability in Jenkins

Last Updated: Apr 02, 2018

On February 1, 2017, Jenkins released a security vulnerability publication, which contains 18 security vulnerabilities of different levels. A high-severity vulnerability can cause Jenkins users to suffer from remote code execution attacks, which has serious security risks. Jenkins has released a new product version to fix this vulnerability.

See the following for more information about the vulnerability.


CVE identifier

CVE-2017-2608

Vulnerability name

Jenkins remote code execution vulnerability

Vulnerability rating

High

Vulnerability description

This vulnerability exists in XStream APIs, for example, XStream, createitem URL, and config.xml remote APIs. Attackers can exploit this vulnerability to start remote code execution attacks, and even obtain server permissions.

Condition and method of exploitation

This vulnerability can be exploited remotely.

Affected scope

  • Jenkins version <= 2.43
  • Jenkins LTS version <= 2.32.1

Vulnerability detection

Check whether any affected version of Jenkins is used.

How to fix or mitigate

  • Configure a security group policy to control the Jenkins access scope. We recommend that the access permission be granted only to intranet or local administrators and releasing to Internet be prohibited.

  • Upgrade Jenkins to the latest version.

    • Jenkins main line users must upgrade Jenkins to 2.44 or a later version.
    • Jenkins LTS users must upgrade Jenkins to 2.32.2 or a later version.

Reference

[1]. https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01

Thank you! We've received your feedback.