====================================================================

                              CERT-Renater

                   Note d'Information No. 2016/VULN391
_____________________________________________________________________

DATE                : 18/11/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Jenkins versions 2.32, LTS 2.19.3.

=====================================================================
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16
____________________________________________________________________

  Jenkins Security Advisory 2016-11-16



     Added by Daniel Beck, last edited by Daniel Beck on Nov 16, 2016



This advisory announces the fix for a previously disclosed zero-day
vulnerability in Jenkins.


Description

Remote code execution vulnerability in remoting module

SECURITY-360 / CVE-2016-9299

An unauthenticated remote code execution vulnerability allowed
attackers to transfer a serialized Java object to the Jenkins CLI,
making Jenkins connect to an attacker-controlled LDAP server, which in
turn can send a serialized payload leading to code execution, bypassing
existing protection mechanisms.


Severity

     SECURITY-360 is considered critical as it allows unprivileged
attackers to execute arbitrary code.


Affected versions

     All Jenkins main line releases up to and including 2.31
     All Jenkins LTS releases up to and including 2.19.2


Fix

     Jenkins main line users should update to 2.32
     Jenkins LTS users should update to 2.19.3

These versions include fixes to all the vulnerabilities described
above. All prior versions are affected by these vulnerabilities.


Notes

As part of this fix, a number of other so-called "gadgets" were
reviewed and are now also being prohibited. We tracked this activity
as SECURITY-317.


Other resources

     November 16 blog post announcing the fixes
     November 11 blog post with workaround after public disclosure of
                 the vulnerability
     LTS 2.19.3 upgrade guide for Jenkins administrators
     Corresponding security advisory for CloudBees Jenkins Enterprise
and CloudBees Jenkins Operations Center



==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================