CVE-2017-1000353: Jenkins unauthenticated remote code execution
Severity
Critical
Vendor
Jenkins
Description
An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java SignedObject
object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream
, bypassing the existing blacklist-based protection mechanism. SignedObject
has been added to the remoting blacklist.
Affected VMware Products and Versions
Severity is critical unless otherwise noted.
- All versions of Altoros Jenkins for PCF prior to 1.0.2
Mitigation
Users of affected versions should apply the following mitigation:
- Upgrade Altoros Jenkins for PCF to 1.0.2