A brief description of the vulnerability
Contains multiple CSRF vulnerabilities that can cause Jenkins to restart immediately or delay, remove all configured update sites, install and load any plugins available on the configured update site, change the Jenkins system, security and tool configuration, or create a new agent Wait.
The vulnerability could allow an attacker to override the code remotely and transfer the serialized Java SignedObject object to the remoting-based Jenkins CLI, using the new deserialize ObjectInputStream to bypass the existing blacklist-based protection mechanism.
The remote CLI stores the encrypted login information of the previously authenticated user in a cache file that can be used to validate further commands. Users who have created secret permissions at Jenkins can use this vulnerability to impersonate any other Jenkins users under the same instance.
Jenkins uses the XStream library to serialize and deserialize XML. Its maintainers have recently released a security hole, any can provide Jenkins and use XStream users can make the Java process crash. In Jenkins, this usually applies to users who have permission to create or configure a project (job), view, or proxy.
For specific vulnerability information , please refer to the following link: http://ift.tt/2pmpqML
Jenkins Version <= 2.56
Jenkins LTS Version <= 2.46.1
Jenkins Version 2.57
Jenkins LTS Version 2.46.2
To circumvent the program
Jenkins official has provided a new version to fix the above loopholes, please affected users as soon as possible to upgrade to the new version, download the link as follows: