[gmx-developers] Jenkins vulnerability

Mark Abraham mark.j.abraham at gmail.com
Tue Nov 10 08:33:58 CET 2015


Hi,

Thanks! I ran the hotfix and will look into further details.

Mark

On Tue, Nov 10, 2015 at 7:55 AM Åke Sandgren <ake.sandgren at hpc2n.umu.se>
wrote:

> Hi!
>
> In case you haven't seen this yet.
>
> ==================
> Please assign a CVE to this issue:
>
> Remote code execution vulnerability due to unsafe deserialization in
> Jenkins remoting
> Unsafe deserialization allows unauthenticated remote attackers to run
> arbitrary code on the Jenkins master.
> This is tracked as SECURITY-218 in the Jenkins project. All current
> Jenkins releases are affected.
>
> Public exploit:
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-
> jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#
> <http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#>
> jenkins
>
> Temporary workaround:
> https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-ex
> ecution-0-day-jenkins-cli
> <https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli>
>
> A related issue is being discussed here:
> http://www.openwall.com/lists/oss-security/2015/11/09/1
> Jenkins is affected by both this and the Groovy variant in 'ysoserial'.
>
> We plan to release a fix for this as part of our planned security update
> on Wednesday.
>
> ==================
>
> --
> Ake Sandgren, HPC2N, Umea University, S-90187 Umea, Sweden
> Internet: ake at hpc2n.umu.se   Phone: +46 90 7866134 Fax: +46 90-580 14
> Mobile: +46 70 7716134 WWW: http://www.hpc2n.umu.se
> --
> Gromacs Developers mailing list
>
> * Please search the archive at
> http://www.gromacs.org/Support/Mailing_Lists/GMX-developers_List before
> posting!
>
> * Can't post? Read http://www.gromacs.org/Support/Mailing_Lists
>
> * For (un)subscribe requests visit
> https://maillist.sys.kth.se/mailman/listinfo/gromacs.org_gmx-developers
> or send a mail to gmx-developers-request at gromacs.org.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://maillist.sys.kth.se/pipermail/gromacs.org_gmx-developers/attachments/20151110/59c9ae0c/attachment.html>


More information about the gromacs.org_gmx-developers mailing list