About the Jenkins CLI vulnerability briefings-vulnerability warning-the black bar safety net

2016-11-27T00:00:00
ID MYHACK58:62201681570
Type myhack58
Reporter 佚名
Modified 2016-11-27T00:00:00

Description

Recently, the national information security vulnerabilities library CNNVD received on the Jenkins CLI remote code execution vulnerability exists(CNNVD-2 0 1 6 1 1-3 8 4)in the case of the message send. The vulnerability is caused by the Jenkins CLI present Java deserialization issues, which lead to a remote attacker may be in Jenkins on the execution of arbitrary code, to further control the server. 1 1 month 1 6 day, Jenkins, the official said the vulnerability has been released the upgrade announcement. Due to the above vulnerability affects a wide range of hazard level high, the national information security vulnerabilities library CNNVD for the tracking analysis, the situation is as follows: A, vulnerability introduction CloudBees Jenkins is an American CloudBees company of a Java-based development of open-source, sustainable integration of the Automation server, it is mainly used to monitor ongoing software release/test project and some of the timing of the implementation of the task. LTS Long-Term Support is the CloudBees Jenkins a long-term support version. CloudBees Jenkins 2.31 and prior to the version and Jenkins LTS 2.19.2 and previous versions there is a remote code execution vulnerability vulnerability number: CNNVD-2 0 1 6 1 1-3 8 4, The CVE-2 0 1 6-9 2 9 9 in. An attacker can transmit malicious serialized Java objects exploit the vulnerability to execute arbitrary code, bypassing the protection mechanisms. Second, the vulnerability to hazards A remote attacker can construct a malicious Java Serialized objects are sent to the Jenkins CLI, through which the analysis execution, you can make Jenkins connect to the attacker control of the LDAP server, the LDAP server further sends a malicious command, in Jenkins on arbitrary code execution, cause the server is full control. According to statistics, at present, the global prior, a thousand a web site using Jenkins, the presence of the vulnerability site number 1 2 5 7 9 of which the top five countries were United States, China, Ireland, Germany and the Netherlands. ! Figure 1 Jenkins global distribution ! Figure 2 vulnerabilities affecting the global distribution of My affected site is about 1 5 7 7 a, mainly located in Zhejiang(6 1%), Beijing(1 9%), Shanghai(6%)and other cities, to Internet businesses, universities and other industry sites. ! Figure 3 Jenkins China distribution ! Figure 4 vulnerability of our distribution Third, the repair measures Currently, the Jenkins official has been released for the vulnerability of the restored version, and the vulnerability details and the use of the way has been published on the Internet, please the affected users as soon as possible to upgrade to the latest version to eliminate the vulnerability. 1. Jenkins main line users should upgrade to 2. 3 2 Version 2. Jenkins LTS users should upgrade to 2. 1 9. 3 version Jenkins announcements links: https://jenkins.io/blog/2016/11/16/security-updates-addressing-zero-day/ This report by the CNNVD technical support units—Beijing long-kiosk Science & Technology Co., Ltd., Beijing white-hat Hui Technology Co., Ltd. to provide support. CNNVD will continue to track the vulnerability of the relevant circumstances, the timely release relevant information. If necessary, can be used with CNNVD contact. Contact: cnnvd@itsec.gov.cn