Jenkins versions 2.56 and previous versions as well as 2.46.1 LTS and previous versions are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed malicious users to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
jenkins jenkins |
||
oracle communications cloud native core automated test suite 1.9.0 |
The hip world of continuous integration meets the dark world of crypto-jacking Good news, everyone: Ransomware declining. Bad news: Miscreants are turning to crypto-mining on infected PCs
Here's a salutary reminder why it pays to patch promptly: a Jenkins bug patched last year became the vector for a multi-million-dollar cryptocurrency mining hijack. A campaign security researchers dubbed “JenkinsMiner” exploited CVE-2017-1000353, a deserialisation bug first disclosed with fixes by the Jenkins team in April 2017. According to Check Point researchers, that bug helped an attacker, believed to be from China, use Jenkins servers as mining rigs – after they'd already garnered US...