edit-icon download-icon

[Vulnerability notice] CVE-2017-1000353: Java deserialization remote code execution vulnerability in Jenkins

Last Updated: Apr 02, 2018

Recently, Jenkins has released a security publication, introducing the high-severity Java deserialization vulnerability in Jenkins. This vulnerability can cause remote code execution.

See the following for more information about the vulnerability.


CVE identifier

CVE-2017-1000353

Vulnerability name

Jenkins Java deserialization remote code execution vulnerability

Vulnerability rating

High

Vulnerability description

This vulnerability is found in the specific implementation code of bidirectional communication channels using HTTP. Jenkins uses the channels to receive commands. Attackers can construct malicious attack parameters to remotely run commands to gain system permissions, which may result in data leakage.

Condition and method of exploitation

This vulnerability can be exploited remotely.

Affected scope

Jenkins 2.32.1

Vulnerability detection

Check whether any affected version of Jenkins is used.

How to fix or mitigate

  • The PoC has been published. We recommend that you upgrade Jenkins to the latest version as soon as possible.

    • Jenkins main line users must upgrade Jenkins to 2.58.
    • Jenkins LTS users must upgrade Jenkins to 2.46.2.
  • Perform security hardening on the Jenkins backend. Configure a strong password, and use security group to configure a strict network access control policy that prevents access by everyone.

Reference

[1]. https://jenkins.io/security/advisory/2017-04-26/
[2]. https://www.seebug.org/vuldb/ssvid-93062

Thank you! We've received your feedback.