CVE-2017-1000353

描述

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

如何修補 CVE-2017-1000353

要修補 CVE-2017-1000353,請將受影響套件升級到下列已修補版本。

• —升級至 2.57 或更新版本

CVE-2017-1000353 正在被利用嗎?

是 — CVE-2017-1000353 已列入 CISA Known Exploited Vulnerabilities (KEV) 清單,代表正在被實際利用,請立即修補。

受影響套件(1)

• >= 2.50, < 2.57

CVSS 分數

參考連結(10)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-1000353
• PATCHgithub.com/jenkinsci/jenkins
• WEBpacketstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Code-Execution.html
• WEBgithub.com/jenkinsci/jenkins/commit/36b8285a41eb28333549e8d851f81fd80a184076