[gmx-developers] Jenkins vulnerability
Åke Sandgren
ake.sandgren at hpc2n.umu.se
Tue Nov 10 07:55:50 CET 2015
Hi!
In case you haven't seen this yet.
==================
Please assign a CVE to this issue:
Remote code execution vulnerability due to unsafe deserialization in
Jenkins remoting
Unsafe deserialization allows unauthenticated remote attackers to run
arbitrary code on the Jenkins master.
This is tracked as SECURITY-218 in the Jenkins project. All current
Jenkins releases are affected.
Public exploit:
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-
jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#
jenkins
Temporary workaround:
https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-ex
ecution-0-day-jenkins-cli
A related issue is being discussed here:
http://www.openwall.com/lists/oss-security/2015/11/09/1
Jenkins is affected by both this and the Groovy variant in 'ysoserial'.
We plan to release a fix for this as part of our planned security update
on Wednesday.
==================
--
Ake Sandgren, HPC2N, Umea University, S-90187 Umea, Sweden
Internet: ake at hpc2n.umu.se Phone: +46 90 7866134 Fax: +46 90-580 14
Mobile: +46 70 7716134 WWW: http://www.hpc2n.umu.se
More information about the gromacs.org_gmx-developers
mailing list