Jenkins Vulnerability,jenkins security vulnerability,CVE-2017-1000356, CVE- 2017-1000353, CVE-2017-1000354, CVE-2017-1000355

On April 26, 2017, software integration platform Jenkins official issued a security notice, including the update repair, repair a number of security vulnerabilities (CVE-2017-1000356, CVE- 2017-1000353, CVE-2017-1000354, CVE-2017-1000355).

A brief description of the vulnerability

CVE-2017-1000356

Contains multiple CSRF vulnerabilities that can cause Jenkins to restart immediately or delay, remove all configured update sites, install and load any plugins available on the configured update site, change the Jenkins system, security and tool configuration, or create a new agent Wait.

CVE-2017-1000353

The vulnerability could allow an attacker to override the code remotely and transfer the serialized Java SignedObject object to the remoting-based Jenkins CLI, using the new deserialize ObjectInputStream to bypass the existing blacklist-based protection mechanism.

CVE-2017-1000354

The remote CLI stores the encrypted login information of the previously authenticated user in a cache file that can be used to validate further commands. Users who have created secret permissions at Jenkins can use this vulnerability to impersonate any other Jenkins users under the same instance.

CVE-2017-1000355

Jenkins uses the XStream library to serialize and deserialize XML. Its maintainers have recently released a security hole, any can provide Jenkins and use XStream users can make the Java process crash. In Jenkins, this usually applies to users who have permission to create or configure a project (job), view, or proxy.

For specific vulnerability information , please refer to the following link: http://ift.tt/2pmpqML

Affected version

Jenkins Version <= 2.56

Jenkins LTS Version <= 2.46.1

Unaffected version

Jenkins Version 2.57

Jenkins LTS Version 2.46.2

To circumvent the program

Jenkins official has provided a new version to fix the above loopholes, please affected users as soon as possible to upgrade to the new version, download the link as follows:

http://ift.tt/27eXWqm

Reference link:

http://ift.tt/2pfv2rx

http://ift.tt/2q762Bo

http://ift.tt/2pmpqML

The post Jenkins multiple Vulnerability appeared first on Penetration Testing in Linux. http://ift.tt/2qhxo7L http://ift.tt/2aM8QhC

Anúncios

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s