Recently, Jenkins has released a security publication, introducing the high-severity Java deserialization vulnerability in Jenkins. This vulnerability can cause remote code execution.
See the following for more information about the vulnerability.
Jenkins Java deserialization remote code execution vulnerability
This vulnerability is found in the specific implementation code of bidirectional communication channels using HTTP. Jenkins uses the channels to receive commands. Attackers can construct malicious attack parameters to remotely run commands to gain system permissions, which may result in data leakage.
Condition and method of exploitation
This vulnerability can be exploited remotely.
Check whether any affected version of Jenkins is used.
How to fix or mitigate
The PoC has been published. We recommend that you upgrade Jenkins to the latest version as soon as possible.
- Jenkins main line users must upgrade Jenkins to 2.58.
- Jenkins LTS users must upgrade Jenkins to 2.46.2.
Perform security hardening on the Jenkins backend. Configure a strong password, and use security group to configure a strict network access control policy that prevents access by everyone.