All Vulnerability Reports

CVE-2017-1000353: Jenkins unauthenticated remote code execution


Severity

Critical

Vendor

Jenkins

Description

An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blacklist-based protection mechanism. SignedObject has been added to the remoting blacklist.

Affected Pivotal Products and Versions

Severity is critical unless otherwise noted.

  • All versions of Altoros Jenkins for PCF prior to 1.0.2
Mitigation

Users of affected versions should apply the following mitigation:

  • Upgrade Altoros Jenkins for PCF to 1.0.2
References