Jenkins deserialization Remote Code Execution Vulnerability (CVE-2015-8103)
Jenkins deserialization Remote Code Execution Vulnerability (CVE-2015-8103)
Release date:
Updated on:
Affected Systems:
Jenkins jenkins 〈= LTS 1.625.1
Jenkins jenkins 〈= 1.637
Unaffected system:
Jenkins jenkins 1.638
Jenkins jenkins 1.625.2
Description:
Bugtraq id: 77636
CVE (CAN) ID: CVE-2015-8103
Jenkins is a scalable Open-Source Continuous Integration Server.
Jenkins 1.637 and earlier versions, Jenkins LTS 1.625.1 and earlier versions have insecure deserialization vulnerabilities, allowing unauthenticated remote attackers to run arbitrary code on Jenkins hosts.
<* Source: Gabriel Lawrence
Chris Frohoff
*>
Suggestion:
Vendor patch:
Jenkins
-------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11
Https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli
Refer:
Http://lwn.net/Articles/664844/
Http://seclists.org/oss-sec/
This article permanently updates the link address: